Open Source News + Security Updates
This week, read about:
Gitlab 16.3.1
Fixed (1 change):
- [Geo: Resync direct upload object stored artifacts] **GitLab Enterprise Edition**
Security (11 changes):
- [Add authorization checks to import status endpoint]
- [Update commonmarker to 0.23.10]
- [Remove DAST secret variables when URL is updated]
- [Maintainer can leak sentry token by changing the configured URL]
- [Service account users are external by default]
- [Additional permission check when editing label]
- [Fix ReDOS in bulk_imports endpoint params]
- [Prevent namespace level banned users from accessing API]
- [Check prohibit_outer_forks in fork relationship api]
- [Prevent traversal for `path` parameter in refs/switch endpoint]
- [Gitaly keyset pager when pagination none only with tree view]
Docker Compose Engine 2.21.0
Features:
- Support for multi-document YAML files.
- Experimental support for loading remote Compose files from Git repos with include.
Fixes:
- Fix for incorrect proxy variables during build.
- Fix for truncated container logs.
- Fix for "no such service" errors when using include and profiles.
- Fix for .env overrides when using include.
Grafana 10.1.1
Features and Enhancements:
- Loki: Remove distinct operation.
- Whitelabeling: Add a config option to hide the Grafana edition from the footer.
- Alerting: Optimize rule details page data fetching.
- Alerting: Optimize external Loki queries.
Bug Fixes:
- Alerting: Limit redis pool size to 5 and make configurable.
- Elasticsearch: Fix respecting of precision in geo hash grid.
- Dashboard: Fix Variable Dropdown to Enforce Minimum One Selection when 'All' Option is Configured.
- Chore: Fix Random Walk scenario for Grafana DS.
- AuthProxy: Fix user retrieval through cache.
- Alerting: Fix auto-completion snippets for KV properties.
- Alerting: Fix incorrect timing meta information for policy.
- Alerting: Add new Recording Rule button when the list is empty.
- Drawer: Clicking a Select arrow within a Drawer no longer causes it to close.
- Logs: Fix log samples not present with empty first frame.
- Alerting: Fix Recording Rule QueryEditor builder view.
- Transforms: Catch errors while running transforms.
- Dashboard: Fix version restore.
- Logs: Fix permalinks not scrolling into view.
- SqlDataSources: Update metricFindQuery to pass on scopedVars to templateSrv.
- Rendering: Fix dashboard screenshot.
- Loki: Fix validation of step values to also allow e.g. ms values.
- Dashboard: Fix repeated row panel placement with larger number of rows.
- CodeEditor: Correctly fires onChange handler.
- Drawer: Fix scrolling drawer content on Safari.
- Alerting: Remove dump wrapper for yaml config.
- Alerting: Always invalidate the AM config after mutation.
- Slug: Combine various slugify fixes for special character handling.
- Logs: Fix displaying the wrong field as body.
- Alerting: Fix "see graph button" for cloud rules.
Jenkins 2.421
- Add a nicer 404 error page.
- Add appearance system configuration page.
- Optimize performance of label parsing.
- Fix invalid CSS which caused some buttons to become invisible on hover.
- Message no longer appears twice when the agentLog option is used.
MongoDB 7.0.1
Security:
SERVER-78723: Resharding a QE collection fails because of __safeContent__
SERVER-78830: Add count of CSFLE and QE Collections to serverStatus
SERVER-79641: Mirrored read should attach encryptionInformation from the original command
Sharding:
SERVER-62987: Wrong replication logic on refreshes on secondary nodes
SERVER-67529: Resharding silently skips documents with all MaxKey values for their fields under the new shard key pattern
SERVER-78913: Make the periods of query sampling periodic jobs configurable at runtime
Query:
SERVER-80256: QueryPlannerAnalysis::explodeForSort should not assume that index scans produce disjoint results
Internals:
SERVER-71627: Refreshed cached collection route info will severely block all client request when a cluster with 1 million chunks
SERVER-73866: Re-enable agg_merge_when_not_matched_insert.js in config_fuzzer passthrough suites
SERVER-74701: Add checksum verification for blackduck installer
SERVER-75120: libunwind stacktrace issues with --dbg=on on arm64
SERVER-76299: Report writeConflicts in serverStatus on secondaries
SERVER-76339: Increase ShardedClusterFixture's timeout when starting/stopping balancer
SERVER-76433: Copy search_view.js test from 5.0 to all later branches
SERVER-77029: Set syncdelay in TestOplogTruncation before starting the checkpoint thread
SERVER-77183: $project followed by $group gives incorrect results sometimes
SERVER-77223: dbcheck_detects_data_corruption.js needs to wait for primary to log healthlog entry
SERVER-77382: Null embedded metaField for creating a time-series collection leads to invalid BSON index spec
SERVER-77823: Pseudocode for throughput probing
SERVER-78095: Relax the assertion checking for update_multifield_multiupdate.js FSM workload
SERVER-78217: Renaming view return wrong error on sharded cluster (2nd attempt)
SERVER-78369: ignoreUnknownIndexOptions doesn't account for the 'weights' index field
SERVER-78498: Make the balancer failpoint smarter
SERVER-78525: Update jstests/noPassthrough/metadata_size_estimate.js to use a smaller document size
SERVER-78696: Only clear shard filtering metadata before releasing the critical section in collmod participants
SERVER-78769: The asynchronous stop sequence of the Balancer may survive the shutdown of the mongod (and raise false memory leak notifications).
SERVER-78813: Commit point propagation fails indefinitely with exhaust cursors with null lastCommitted optime
SERVER-78862: Fix serialization of nested $elemMatch's
SERVER-78950: Use sequential time series bucket IDs when possible
SERVER-79021: Update Boost's entry in README.third_party.md to 1.79.0
SERVER-79022: Update ASIO's Git hash in README.third_party.md
SERVER-79023: Update C-Ares' entry in README.third_party.md to 1.19.1
SERVER-79033: Image collection invalidation for missing namespace during initial sync always attempts upsert
SERVER-79082: Make analyzeShardKey tests not assert number of orphaned documents <= total number of documents
SERVER-79103: Core dumps are not generated if stopping balancer fails
SERVER-79126: Pin pyyaml in another place
SERVER-79138: Fix data race in AuthorizationSessionTest fixture
SERVER-79236: Server cannot start in standalone if there are cluster parameters
SERVER-79252: Add the system-perf bootstrap file to the task Files section
SERVER-79261: Add logging to ping monitor
SERVER-79316: [7.0] Do not run packager on dynamically linked variants
SERVER-79357: CheckMetadataConsistency is not reading chunks with snapshot read concern
SERVER-79370: Throughput probing statistics not always updated correctly
SERVER-79372: Fix incorrect assertion about number of cursors opened
SERVER-79382: Reset bucket OID counter when encountering a collision
SERVER-79397: Fix and test logic to internally retry time series inserts on OID collision
SERVER-79447: The balancer stop sequence may cause the config server to crash on step down
SERVER-79509: Add testing of transitional FCVs with removeShard and transitionToDedicatedConfigServer
SERVER-79515: Update task generator
SERVER-79607: ShardRegistry shutdown should not wait indefinitely on outstanding network requests
SERVER-79609: Fix findAndModify_upsert.js test to accept StaleConfig error
SERVER-79651: Only use two node replicasets in initial sync performance tests
SERVER-79777: Increase the diff window for the sample size in sample_rate_sharded.js
SERVER-79885: Oplog fetching getMore should not set null lastKnownCommittedOpTime if it is not using exhaust cursors
SERVER-79937: Avoid majority reads within the BalancerDefragmentationPolicy
SERVER-79944: Make analyze_shard_key.js not assert that the number of sampled queries observed via analyzeShardKey and $listSampledQueries is non-decreasing
SERVER-79950: Fix commitPreparedTransaction to not be interruptible in commitSplitTxn and reacquireTicket
SERVER-79981: resize_tickets.js fails in Fixed Concurrent Transactions test suite
SERVER-80153: UBsan core dumps are not being uploaded properly
SERVER-80183: Remove operationTime check from store_retryable_find_and_modify_images_in_side_collection.js
SERVER-80207: Use 4-byte counter for tracking time series bucket direct writes
WT-10714: Select an explicitly labeled perf distro for performance tests
WT-11202: Remove the connection level operation_timeout_ms configuration
WT-11221: Python tests fails due to unexpected "Eviction took more than 1 minute" warning in standard output
WT-11312: Fix incorrect flag check for accurate force eviction stat
WT-11359: Update spinlock tasks to limit disk usage
WT-11419: Increment cc_pages_removed when detecting a deleted page to remove
PHP Interpreter 8.2.10
CLI:
Fixed bug GH-11716 (cli server crashes on SIGINT when compiled with ZEND_RC_DEBUG=1).
Fixed bug GH-10964 (Improve man page about the built-in server).
Date:
Fixed bug GH-11416 (Crash with DatePeriod when uninitialised objects are passed in).
Core:
Fixed strerror_r detection at configuration time.
Fixed trait typed properties using a DNF type not being correctly bound.
Fixed trait property types not being arena allocated if copied from an internal trait.
Fixed deep copy of property DNF type during lazy class load.
Fixed memory freeing of DNF types for non arena allocated types.
DOM:
Fix DOMEntity field getter bugs.
Fix incorrect attribute existence check in DOMElement::setAttributeNodeNS.
Fix DOMCharacterData::replaceWith() with itself.
Fix empty argument cases for DOMParentNode methods.
Fixed bug GH-11791 (Wrong default value of DOMDocument::xmlStandalone).
Fix json_encode result on DOMDocument.
Fix manually calling __construct() on DOM classes.
Fixed bug GH-11830 (ParentNode methods should perform their checks upfront).
Fix viable next sibling search for replaceWith.
Fix segfault when DOMParentNode::prepend() is called when the child disappears.
FFI:
Fix leaking definitions when using FFI::cdef()->new(...).
Hash:
Fix use-of-uninitialized-value in hash_pbkdf2(), fix missing $options parameter in signature.
MySQLnd:
Fixed bug GH-11440 (authentication to a sha256_password account fails over SSL).
Fixed bug GH-11438 (mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters).
Fixed bug GH-11550 (MySQL Statement has a empty query result when the response field has changed, also Segmentation fault).
Fixed invalid error message "Malformed packet" when connection is dropped.
Opcache:
Fixed bug GH-11715 (opcache.interned_strings_buffer either has no effect or opcache_get_status() / phpinfo() is wrong).
Avoid adding an unnecessary read-lock when loading script from shm if restart is in progress.
PCNTL:
Revert behaviour of receiving SIGCHLD signals back to the behaviour before 8.1.22.
SPL:
Fixed bug #81992 (SplFixedArray::setSize() causes use-after-free).
Standard:
Prevent int overflow on $decimals in number_format.
Fixed bug GH-11870 (Fix off-by-one bug when truncating tempnam prefix) (athos-ribeiro)
Ceph 16.2.14
backport PR #39607
blk/kernel: Fix error code mapping in KernelDevice::read
blk/KernelDevice: Modify the rotational and discard check log message
build: Remove ceph-libboost* packages in install-deps
ceph-volume: fix a bug in get_lvm_fast_allocs() (batch)
ceph-volume: fix batch refactor issue
ceph-volume: fix drive-group issue that expects the batch_args to be a string
ceph-volume: quick fix in zap.py
ceph-volume: set lvm membership for mpath type devices
ceph_test_rados_api_watch_notify: extend Watch3Timeout test
ceph_volume: support encrypted volumes for lvm new-db/new-wal/migrate commands
cephadm: eliminate duplication of sections
cephadm: mount host /etc/hosts for daemon containers in podman deployments
cephadm: reschedule haproxy from an offline host
cephadm: using ip instead of short hostname for prometheus urls
cephfs-top: check the minimum compatible python version
cephfs-top: dump values to stdout and -d [--delay] option fix
cephfs-top: navigate to home screen when no fs
cephfs-top: Some fixes in choose_field() for sorting
client: clear the suid/sgid in fallocate path
client: do not dump mds twice in Inode::dump()
client: do not send metrics until the MDS rank is ready
client: force sending cap revoke ack always
client: only wait for write MDS OPs when unmounting
client: trigger to flush the buffer when making snapshot
client: use deep-copy when setting permission during make_request
client: wait rename to finish
cls/queue: use larger read chunks in queue_list_entries
common/crc32c_aarch64: fix crc32c unittest failed on aarch64
common/TrackedOp: fix osd reboot optracker coredump
common: notify all when max backlog reached in OutputDataSocket
common: Use double instead of long double to improve performance
Consider setting “bulk” autoscale pool flag when automatically creating a data pool for CephFS
debian: install cephfs-mirror systemd unit files and man page
do not evict clients if OSDs are laggy
doc/cephadm: Revert “doc/cephadm: update about disabling logging to journald for quincy”
doc/cephfs: edit fs-volumes.rst (1 of x)
doc/cephfs: explain cephfs data and metadata set
doc/cephfs: fix prompts in fs-volumes.rst
doc/cephfs: line-edit “Mirroring Module”
doc/cephfs: rectify prompts in fs-volumes.rst
doc/cephfs: repairing inaccessible FSes
doc/dev/encoding.txt: update per std::optional
doc/glossary: update bluestore entry
doc/mgr: edit “leaderboard” in telemetry.rst
doc/mgr: update prompts in prometheus.rst
doc/rados/operations: Acting Set question
doc/rados/operations: Fix erasure-code-jerasure.rst fix
doc/rados/ops: edit user-management.rst (3 of x)
doc/rados: edit balancer.rst
doc/rados: edit bluestore-config-ref.rst (1 of x)
doc/rados: edit bluestore-config-ref.rst (2 of x)
doc/rados: edit data-placement.rst
doc/rados: edit devices.rst
doc/rados: edit filestore-config-ref.rst
doc/rados: edit stretch-mode procedure
doc/rados: edit stretch-mode.rst
doc/rados: edit stretch-mode.rst
doc/rados: edit user-management (2 of x)
doc/rados: fix link in common.rst
doc/rados: line-edit devices.rst
doc/rados: m-config-ref: edit “background”
doc/rados: stretch-mode.rst (other commands)
doc/rados: stretch-mode: stretch cluster issues
doc/radosgw: explain multisite dynamic sharding
doc/radosgw: rabbitmq - push-endpoint edit
doc/start/os-recommendations: drop 4.14 kernel and reword guidance
doc/start: edit first 150 lines of documenting-ceph
doc/start: fix “Planet Ceph” link
doc/start: KRBD feature flag support note
doc/start: rewrite intro paragraph
doc: add link to “documenting ceph” to index.rst
doc: Add missing ceph command in documentation section REPLACING A…
doc: deprecate the cache tiering
doc: document the relevance of mds_namespace mount option
doc: explain cephfs mirroring peer_add step in detail
doc: Update jerasure.org references
doc: update multisite doc
doc: Use ceph osd crush tree command to display weight set weights
kv/RocksDBStore: Add CompactOnDeletion support
kv/RocksDBStore: cumulative backport for rm_range_keys and around (
kv/RocksDBStore: don’t use real wholespace iterator for prefixed access
librados: aio operate functions can set times
librbd/managed_lock/GetLockerRequest: Fix no valid lockers case
librbd: avoid decrementing iterator before first element
librbd: avoid object map corruption in snapshots taken under I/O
librbd: don’t wait for a watch in send_acquire_lock() if client is blocklisted
librbd: localize snap_remove op for mirror snapshots
librbd: remove previous incomplete primary snapshot after successfully creating a new one
log: writes to stderr (pipe) may not be atomic
MDS imported_inodes metric is not updated
mds: adjust cap acquisition throttles
mds: allow unlink from lost+found directory
mds: display sane hex value (0x0) for empty feature bit
mds: do not send split_realms for CEPH_SNAP_OP_UPDATE msg
mds: do not take the ino which has been used
mds: fix cpu_profiler asok crash
mds: fix stray evaluation using scrub and introduce new option
mds: Fix the linkmerge assert check
mds: force replay sessionmap version
mds: make num_fwd and num_retry to __u32
mds: MDLog::_recovery_thread: handle the errors gracefully
mds: rdlock_path_xlock_dentry supports returning auth target inode
mds: record and dump last tid for trimming completed requests (or flushes)
mds: skip forwarding request if the session were removed
mds: update mdlog perf counters during replay
mds: wait for unlink operation to finish
mds: wait reintegrate to finish when unlinking
mgr/cephadm: Adding --storage.tsdb.retention.size prometheus option
mgr/cephadm: don’t try to write client/os tuning profiles to known offline hosts
mgr/cephadm: support for miscellaneous config files for daemons
mgr/dashboard: allow PUT in CORS
mgr/dashboard: API docs UI does not work with Angular dev server
mgr/dashboard: expose more grafana configs in service form
mgr/dashboard: Fix broken Fedora image URL
mgr/dashboard: Fix rbd snapshot creation
mgr/dashboard: fix the rbd mirroring configure check
mgr/dashboard: move cephadm e2e cleanup to jenkins job config
mgr/dashboard: rbd-mirror force promotion
mgr/dashboard: skip Create OSDs step in Cluster expansion
mgr/dashboard: SSO error: AttributeError: ‘str’ object has no attribute ‘decode’
mgr/nfs: disallow non-existent paths when creating export
mgr/orchestrator: fix device size in orch device ls output
mgr/rbd_support: fixes related to recover from rados client blocklisting
mgr/snap_schedule: add debug log for paths failing snapshot creation
mgr/snap_schedule: catch all exceptions for cli
mgr/volumes: avoid returning -ESHUTDOWN back to cli
mgr: store names of modules that register RADOS clients in the MgrMap
MgrMonitor: batch commit OSDMap and MgrMap mutations
mon/ConfigMonitor: update crush_location from osd entity
mon/MDSMonitor: batch last_metadata update with pending
mon/MDSMonitor: check fscid in pending exists in current
mon/MDSMonitor: do not propose on error in prepare_update
mon/MDSMonitor: ignore extraneous up:boot messages
mon/MonClient: before complete auth with error, reopen session
mon: avoid exception when setting require-osd-release more than 2 versions up
mon: block osd pool mksnap for fs pools
Monitor: forward report command to leader
orchestrator: add --no-destroy arg to ceph orch osd rm
os/bluestore: allocator’s cumulative backport
os/bluestore: allow ‘fit_to_fast’ selector for single-volume osd
os/bluestore: cumulative bluefs backport
os/bluestore: don’t need separate variable to mark hits when lookup oid
os/bluestore: fix spillover alert
os/bluestore: proper override rocksdb::WritableFile::Allocate
os/bluestore: report min_alloc_size through “ceph osd metadata”
osd/OSDCap: allow rbd.metadata_list method under rbd-read-only profile
OSD: Fix check_past_interval_bounds()
pybind/argparse: blocklist ip validation
pybind/mgr/pg_autoscaler: Reorderd if statement for the func: _maybe_adjust
pybind: drop GIL during library callouts
python-common: drive_selection: fix KeyError when osdspec_affinity is not set
qa/rgw: add POOL_APP_NOT_ENABLED to log-ignorelist
qa/suites/rados: remove rook coverage from the rados suite
qa/suites/rbd: install qemu-utils in addition to qemu-block-extra on Ubuntu
qa/suites/upgrade/octopus-x: skip TestClsRbd.mirror_snapshot test
qa: check each fs for health
qa: data-scan/journal-tool do not output debugging in upstream testing
qa: fix cephfs-mirror unwinding and ‘fs volume create/rm’ order
qa: mirror tests should cleanup fs during unwind
qa: run scrub post file system recovery
qa: test_simple failure
qa: use parallel gzip for compressing logs
qa: wait for MDSMonitor tick to replace daemons
radosgw-admin: try reshard even if bucket is resharding
rbd-mirror: fix image replayer shut down description on force promote
rbd-mirror: fix race preventing local image deletion
rgw/rados: check_quota() uses real bucket owner
rgw/s3: dump Message field in Error response even if empty
rgw: avoid string_view to temporary in RGWBulkUploadOp
rgw: fix consistency bug with OLH objects
rgw: LDAP fix resource leak with wrong credentials
rgw: under fips & openssl 3.x allow md5 usage in select rgw ops
src/valgrind.supp: Adding know leaks unrelated to ceph
src/valgrind.supp: Adding know leaks unrelated to ceph
test: correct osd pool default size
test: monitor thrasher wait until quorum
tests: remove pubsub tests from multisite
tools/ceph-dencoder: Fix incorrect type define for trash_watcher
tools/ceph-kvstore-tool: fix segfaults when repair the rocksdb
tools/cephfs-data-scan: support for multi-datapool
vstart: check mgr status after starting mgr
Wip nitzan fixing few rados/test.sh
qa: add subvolume option flavors
Ansible AWX 23.0.0
- Revert "Improve performance for awx cli export
- Fixed typos
- Schedule rruleset fix related #13446
- Update python-tss-sdk dependency
- Fix UI_NEXT build process broken
- Fixed task and web docs
- Fix ui-next build step file path issue
- Added required epoc time field for Splunk HEC Event Receiver
- Fix edit constructed inventory hanging loading state
- Add location for locales in nginx config
- Update cryptography for CVE-2023-38325
- AAP-10891 Apply AWX_TASK_ENV when performing credential plugin lookups
- Enforce mutually exclusive options in credential module of the collection
- Clarify that the license module requires fetching subs prior
- Fix default redis url to pass check in redis-py>4.4
- Fix typo in description of scm_update_on_launch
- Fix CVE-2023-40267
- Touchup of PR body checks
- Hop nodes for k8s
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability.
As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Kubernetes 1.28.1
This release contains changes that address the following vulnerabilities:
CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
Affected Versions:
Fixed Versions:
CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
Affected Versions:
Fixed Versions:
CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Angular 16.2.2
*Allow safeUrl for ngSrc in NgOptimizedImage
*enforce a minimum version to be used when a library uses input transform
*guard the jasmine hooks
*Ensure canceledNavigationResolution: 'computed' works on first page
Apache Tomcat 10.1.13
Catalina:
Fix: If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.
Fix: Avoid protocol relative redirects in FORM authentication.
Web applications:
Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.
Other:
Add: Improvements to Chinese translations.
Add: Improvements to French translations.
Add: Improvements to Japanese translations by tak7iji.
RabbitMQ 3.12.4
Core Server
Bug Fixes:
Bug Fixes:
Federation Plugin
Bug Fixes:
LDAP AuthN/AuthZ Backend Plugin
Bug Fixes:
This week, read about:
Apache Cassandra 3.11.16
* Moved jflex from runtime to build dependencies (CASSANDRA-18664)
* Fix CAST function for float to decimal (CASSANDRA-18647)
* Suppress CVE-2022-45688 (CASSANDRA-18643)
* Remove unrepaired SSTables from garbage collection when only_purge_repaired_tombstones is true (CASSANDRA-14204)
* Wait for live endpoints in gossip waiting to settle (CASSANDRA-18543)
* Fix error message handling when trying to use CLUSTERING ORDER with non-clustering column (CASSANDRA-17818
* Add keyspace and table name to exception message during ColumnSubselection deserialization (CASSANDRA-18346)
* Remove unnecessary String.format invocation in QueryProcessor when getting a prepared statement from cache (CASSANDRA-17202)
Merged from 3.0:
* Fix Requires for Java for RPM package (CASSANDRA-18751)
* Fix CQLSH online help topic link (CASSANDRA-17534)
* Remove unused suppressions (CASSANDRA-18724)
* Upgrade OWASP to 8.3.1 (CASSANDRA-18650)
* Suppress CVE-2023-34462 (CASSANDRA-18649)
* Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)
* Suppress CVE-2023-35116 (CASSANDRA-18630)
* Pass taskId from CompactionTask to system.compaction_history (CASSANDRA-12183)
* Suppress CVE-2023-34455, CVE-2023-34454, CVE-2023-34453 (CASSANDRA-18608)
* Backport CASSANDRA-10508: Remove hard-coded SSL cipher suites (CASSANDRA-18575)
* Suppress CVE-2023-2976 (CASSANDRA-18562)
* Remove dh_python use in Debian packaging (CASSANDRA-18558)
* Pass down all contact points to driver for cassandra-stress (CASSANDRA-18025)
* Validate the existence of a datacenter in nodetool rebuild (CASSANDRA-14319)
* Suppress CVE-2023-2251 (CASSANDRA-18497)
Nginx 1.25.2
* Feature: path MTU discovery when using HTTP/3.
* Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using HTTP/3.
* Change: now nginx uses appname "nginx" when loading OpenSSL configuration.
* Change: now nginx does not try to load OpenSSL configuration if the --with-openssl option was used to built OpenSSL and the OPENSSL_CONF environment variable is not set.
* Bugfix: in the $body_bytes_sent variable when using HTTP/3.
* Bugfix: in HTTP/3.
Angular 16.2.1
* Fix: Apply named outlets to children empty paths not appearing in the URL.
Elasticsearch 8.9.1
Fixes:
Aggregations
Cluster Coordination
EQL
ILM+SLM
Infra/Logging
Machine Learning
Search
Grafana 9.5.8
Features and Enhancements:
GenericOAuth: Set sub as auth id.
Bug Fixes:
DataSourceProxy: Fix url validation error handling
Kibana 8.9.1
Fixes:
APM
Canvas
Discover
Fleet
Management
Uptime
Kubernetes 1.28
UPGRADE NOTES
Having appropriate QueueingHintFn contributes to reducing useless retries and thus improves the overall scheduler's performance.
How can I migrate?
For backward compatibility, nil QueueingHintFn is treated as always returning QueueAfterBackoff. So, if you want to just keep the existing behavior, you can register ClusterEventWithHint with no QueueingHintFn in it. But, registering appropriate QueueingHintFn is, of course, better from a scheduling performance perspective.
FIXES
Deprecation:
API Change:
Feature:
When LimitedSwap is enabled the swap limit would be automatically calculated for Burstable QoS pods. For Best-Effort/Guaranteed QoS pods, swap would be disabled.
Containers with memory requests equal to their memory limits also won't have swap access, and it is a way to opt-out of swap for a single container.
The formula for the swap limit for Burstable QoS pods is: (<memory-request>/<node-memory-capacity>)*<node-swap-capacity>.
Support for cgroup v1 is removed.
This release adds a feature to hash the KeyID values in the logs. The KeyID values are sensitive information that should not be exposed in plain text in the logs. By hashing the KeyID values, we can protect the confidentiality of the data while still being able to log the necessary information.
This release adds new metrics to the Encryption Configuration Controller to help monitor the automatic reloading of encryption configuration. The new metrics include:
These metrics can be used to monitor the health of the Encryption Configuration Controller and to troubleshoot any issues that may arise during automatic reloading of encryption configuration.
Changed kubectl create secret --help description. There will be a short introduction to the three secret types and clearer guidance on how to use the command.
Logstash 8.9.1
Notable issues fixed
Updates to dependencies
Plugins
Elasticsearch Filter - 3.15.2
Snmp Input - 1.3.3
Aws Integration - 7.1.5
RabbitMQ 3.12.3
Core Server
Bug Fixes
If a user does not have handle.exe`` installed in the PATH`` of their Windows system,
a message will be logged once, and then the total handles being used will be set to 0.
PowerShell ended up being a CPU-intensive alternative that's not worth the gains
for many installations.
CLI Tools
Enhacements
MQTT Plugin
Bug Fixes
Enhancements
Now the number of dropped messages will be reflected in the dropped message metric, together with unroutable messages.
HTTP AuthN/AuthZ Backend Plugin
Bug Fixes
LDAP AuthN/AuthZ Backend Plugin
Bug Fixes
Sonatype Nexus Repository 3.59.0
FIXES
NEXUS-39797: Resolved an issue that was causing some components to not be indexed for search in HA deployments.
NEXUS-39774 & 39573: Using the Search API to return Maven assets with an empty maven.classifier now works as expected.
NEXUS-39255: The Conan v2 remote list command to retrieve revisions performs as expected without a 500 error.
NEXUS-36486: The blobCreated date is now preserved when migrating to PostgreSQL.
NEXUS-36415: Adjusted handling in cases where invalid content violating metadata format is cached in a proxy repository.
NEXUS-35977: Improved error messaging and documentation related to requesting files from a R format repository.
Gitlab Community Edition 16.3.0
Added (169 changes)
Fixed (180 changes)
Changed (265 changes)
Security (22 changes)
*Use component to hide sensitive analytics settings (merge request)
*Fix undefined method page error in list dependencies (merge request)
*Fix undefined method licenses for nil:NilClass bug (merge request)
*Add pagination for license scanning (merge request)
*Mitigate autolink filter ReDOS (merge request)
*Revert 'security-408388--protected-branch' (merge request)
*Fix bug where comments on files with incorrect sha breaks UI (merge request)
*Prevent leaking emails of newly created users (merge request)
*Sanitize multiple hardlinks from import archives (merge request)
*Mitigate project reference filter ReDOS (merge request)
*Relocate PlantUML config and disable SVG support (merge request)
*Added redirect to filtered params (merge request)
*Validates project path availability (merge request)
*Fix XSS vector in Web IDE (merge request)
*Prevent creation of tags matching protected branch names (merge request)
*Add a stricter regex for the Harbor search param (merge request)
*Prohibit 40 character hex plus a hyphen if branch name is path (merge request)
*Fix policy project assign (merge request)
*Fix pipeline schedule authorization for protected branch/tag (merge request)
*Update pipeline user to the last policy MR author (merge request)
*Test nr 3: fast security->canonical sync (merge request)
*Test fast security->canonical sync (merge request)
Performance (17 changes)
Other (90 changes)
This week, read about:
Angular 16.2.0
benchpress:
fix: correctly report GC memory amounts (#50760)
common:
feat: add component input binding support for NgComponentOutlet (#51148)
feat: Allow ngSrc to be changed post-init (#50683)
compiler:
feat: scope selectors in @scope queries (#50747)
compiler-cli:
fix: libraries compiled with v16.1+ breaking with Angular framework v16.0.x (#50714)
core:
feat: add afterRender and afterNextRender (#50607)
feat: create injector debugging APIs (#48639)
feat: support Provider type in Injector.create (#49587)
fix: handle hydration of view containers for root components (#51247)
router:
feat: exposes the fixture of the RouterTestingHarness (#50280)
Apache Tomcat 11.0.0-M10
Catalina:
DataSourceUserDatabase
identified by Coverity Scan. (markt)ExtendedAccessLogValve
patterns more robust. (markt)maxParameterCount
used for parsing parameters if parts are parsed first. (remm)Coyote
certificateKeystoreFile
attribute of an SSLHostConfigCertificate
instance. (markt)PROFILE=SYSTEM
instead of producing an error trying to parse it. (remm)AsyncListener.onError()
is called after an error during asynchronous processing with HTTP/2. (markt)Web-socket:
NullPointerException
when flushing batched messages with compression enabled using permessage-deflate
. (markt)Jdbc-pool:
releaseIdleCounter
does not increment when testAllIdle releases them. Pull request #241 provided by Arun Chaitanya Miriappalli (lihan)ConnectionState
state will be inconsistent with actual state on the connection when an exception occurs while writing. Pull request #643 provided by Wenjun Xiao. (lihan)Other:
_RUNJAVA
environment variable as intended on Windows when the path to the Java executable contains spaces. (markt)Apache Tomcat 10.1.12
Catalina:
NamingException
in JNDIRealm#getPrincipal
. It is used in Java up to 17 to signal closed connections. (fschumacher)maxParameterCount
used for parsing parameters if parts are parsed first. (remm)Coyote:
certificateKeystoreFile
attribute of an SSLHostConfigCertificate
instance. (markt)PROFILE=SYSTEM
instead of producing an error trying to parse it. (remm)AsyncListener.onError()
is called after an error during asynchronous processing with HTTP/2. (markt)WebSocket:
NullPointerException
when flushing batched messages with compression enabled using permessage-deflate
. (markt)jdbc-pool:
releaseIdleCounter
does not increment when testAllIdle releases them. Pull request #241 provided by Arun Chaitanya Miriappalli (lihan)ConnectionState
state will be inconsistent with actual state on the connection when an exception occurs while writing. Pull request #643 provided by Wenjun Xiao. (lihan)Other:
_RUNJAVA
environment variable as intended on Windows when the path to the Java executable contains spaces. (markt)Docker Engine / Compose v2.20.3
Enhancements:
Fixes:
Internal:
Dependencies:
HAProxy v2.9-dev3
BUG/MINOR: ssl: OCSP callback only registered for first SSL_CTX
BUG/MEDIUM: h3: Properly report a C-L header was found to the HTX start-line
MINOR: sample: add pid sample
MINOR: sample: implement act_conn sample fetch
MINOR: sample: accept_date / request_date return %Ts / %tr timestamp values
MEDIUM: sample: implement us and ms variant of utime and ltime
BUG/MINOR: sample: check alloc_trash_chunk() in conv_time_common()
DOC: configuration: describe Td in Timing events
MINOR: sample: implement the T* timer tags from the log-format as fetches
DOC: configuration: add sample fetches for timing events
BUG/MINOR: quic: Possible crash when acknowledging Initial v2 packets
MINOR: quic: Export QUIC traces code from quic_conn.c
MINOR: quic: Export QUIC CLI code from quic_conn.c
MINOR: quic: Move TLS related code to quic_tls.c
MINOR: quic: Add new "QUIC over SSL" C module.
MINOR: quic: Add a new quic_ack.c C module for QUIC acknowledgements
CLEANUP: quic: Defined but no more used function (quic_get_tls_enc_levels())
MINOR: quic: Split QUIC connection code into three parts
CLEANUP: quic: quic_conn struct cleanup
MINOR: quic; Move the QUIC frame pool to its proper location
BUG/MINOR: chunk: fix chunk_appendf() to not write a zero if buffer is full
BUG/MEDIUM: h3: Be sure to handle fin bit on the last DATA frame
DOC: configuration: rework the custom log format table
BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels
CLEANUP: acl: remove cache_idx from acl struct
REORG: cfgparse: extract curproxy as a global variable
MINOR: acl: add acl() sample fetch
BUILD: cfgparse: keep a single "curproxy"
BUG/MEDIUM: bwlim: Reset analyse expiration date when then channel analyse ends
MEDIUM: stream: Reset response analyse expiration date if there is no analyzer
BUG/MINOR: htx/mux-h1: Properly handle bodyless responses when splicing is used
BUG/MEDIUM: quic: consume contig space on requeue datagram
BUG/MINOR: http-client: Don't forget to commit changes on HTX message
CLEANUP: stconn: Move comment about sedesc fields on the field line
REGTESTS: http: Create a dedicated script to test spliced bodyless responses
REGTESTS: Test SPLICE feature is enabled to execute script about splicing
BUG/MINOR: quic: reappend rxbuf buffer on fake dgram alloc error
BUILD: quic: fix wrong potential NULL dereference
MINOR: h3: abort request if not completed before full response
BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value replacement
CLEANUP: quic: Remove quic_path_room().
MINOR: quic: Amplification limit handling sanitization.
MINOR: quic: Move some counters from [rt]x quic_conn anonymous struct
MEDIUM: quic: Send CONNECTION_CLOSE packets from a dedicated buffer.
MINOR: quic: Use a pool for the connection ID tree.
MEDIUM: quic: Allow the quic_conn memory to be asap released.
MINOR: quic: Release asap quic_conn memory (application level)
MINOR: quic: Release asap quic_conn memory from ->close() xprt callback.
MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"
REORG: http: move has_forbidden_char() from h2.c to http.h
BUG/MAJOR: h3: reject header values containing invalid chars
MINOR: mux-h2/traces: also suggest invalid header upon parsing error
MINOR: ist: add new function ist_find_range() to find a character range
MINOR: http: add new function http_path_has_forbidden_char()
MINOR: h2: pass accept-invalid-http-request down the request parser
REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
BUG/MINOR: h1: do not accept '#' as part of the URI component
BUG/MINOR: h2: reject more chars from the :path pseudo header
BUG/MINOR: h3: reject more chars from the :path pseudo header
REGTESTS: http-rules: verify that we block '#' by default for normalize-uri
DOC: clarify the handling of URL fragments in requests
BUG/MAJOR: http: reject any empty content-length header value
BUG/MINOR: http: skip leading zeroes in content-length values
BUG/MEDIUM: mux-h1: fix incorrect state checking in h1_process_mux()
BUG/MEDIUM: mux-h1: do not forget EOH even when no header is sent
BUILD: mux-h1: shut a build warning on clang from previous commit
DEV: makefile: add a new "range" target to iteratively build all commits
CI: do not use "groupinstall" for Fedora Rawhide builds
CI: get rid of travis-ci wrapper for Coverity scan
BUG/MINOR: quic: mux started when releasing quic_conn
BUG/MINOR: quic: Possible crash in quic_cc_conn_io_cb() traces.
MINOR: quic: Add a trace for QUIC conn fd ready for receive
BUG/MINOR: quic: Possible crash when issuing "show fd/sess" CLI commands
BUG/MINOR: quic: Missing tasklet (quic_cc_conn_io_cb) memory release (leak)
BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing
BUG/MINOR: hlua: fix invalid use of lua_pop on error paths
MINOR: hlua: add hlua_stream_ctx_prepare helper function
BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread
MAJOR: threads/plock: update the embedded library again
MINOR: stick-table: move the task_queue() call outside of the lock
MINOR: stick-table: move the task_wakeup() call outside of the lock
MEDIUM: stick-table: change the ref_cnt atomically
MINOR: stick-table: better organize the struct stktable
MEDIUM: peers: update ->commitupdate out of the lock using a CAS
MEDIUM: peers: drop then re-acquire the wrlock in peer_send_teachmsgs()
MEDIUM: peers: only read-lock peer_send_teachmsgs()
MEDIUM: stick-table: use a distinct lock for the updates tree
MEDIUM: stick-table: touch updates under an upgradable read lock
MEDIUM: peers: drop the stick-table lock before entering peer_send_teachmsgs()
MINOR: stick-table: move the update lock into its own cache line
CLEANUP: stick-table: slightly reorder the stktable struct
BUILD: defaults: use __WORDSIZE not LONGBITS for MAX_THREADS_PER_GROUP
MINOR: tools: make ptr_hash() support 0-bit outputs
MINOR: tools: improve ptr hash distribution on 64 bits
OPTIM: tools: improve hash distribution using a better prime seed
OPTIM: pools: use exponential back-off on shared pool allocation/release
OPTIM: pools: make pool_get_from_os() / pool_put_to_os() not update ->allocated
MINOR: pools: introduce the use of multiple buckets
MEDIUM: pools: spread the allocated counter over a few buckets
MEDIUM: pools: move the used counter over a few buckets
MEDIUM: pools: move the needed_avg counter over a few buckets
MINOR: pools: move the failed allocation counter over a few buckets
MAJOR: pools: move the shared pool's free_list over multiple buckets
MINOR: pools: make pool_evict_last_items() use pool_put_to_os_no_dec()
BUILD: pools: fix build error on clang with inline vs forceinline
Jenkins 2.419
Use standard size node icon even with long node names. (pull 8089)
Jenkins 2.418
New login page breaks login theme plugin. (issue 71238)
Fix "Manage Jenkins" context menu (regression in 2.415). (issue 71744)
Fix mistranslation of Japanese message in mailing list reference. (pull 8324)
Nodejs v20.5.1
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-32002: Policies can be bypassed via Module._load (High)
CVE-2023-32558: process.binding() can bypass the permission model through path traversal (High)
CVE-2023-32004: Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
CVE-2023-32005: fs.statfs can bypass the permission model (Low)
CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
OpenSSL Security Releases:
OpenSSL security advisory 14th July.
OpenSSL security advisory 19th July.
OpenSSL security advisory 31st July.
This restriction guards against SQL-injection hazards for trusted extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417)
MERGE
to enforce row security policies properly (Dean Rasheed)When MERGE
performs an UPDATE
action, it should enforce any UPDATE
or SELECT
RLS policies defined on the target table, to be consistent with the way that a plain UPDATE
with a WHERE
clause works. Instead it was enforcing INSERT
RLS policies for both INSERT
and UPDATE
actions.
In addition, when MERGE
performs a DO NOTHING
action, it applied the target table's DELETE
RLS policies to existing rows, even though those rows are not being deleted. While it's not a security problem, this could result in unwanted errors.
The PostgreSQL Project thanks Dean Rasheed for reporting this problem. (CVE-2023-39418)
Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.
This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX
any BRIN indexes that may be used to search for nulls.
DROP DATABASE
is interrupted (Andres Freund)If DROP DATABASE
was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database
row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE
.
If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.
ALTER TABLE ATTACH PARTITION
(Michael Paquier)Such an index will now be ignored, and a new child index created instead.
The update of the index's pg_index
entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple” error.
ALTER EXTENSION SET SCHEMA
to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.
ALTER TABLE ... SET ACCESS METHOD
failed to update relevant pg_depend
entries when changing a table's access method. When using non-built-in access methods, this creates a risk that an access method could be dropped even though tables still depend on it. This fix corrects the logic in ALTER TABLE
, but it will not adjust any already-missing pg_depend
entries.
This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.
Applying Memoize to a sub-plan that contains volatile filter conditions is likely to lead to wrong answers. The check to avoid doing this missed some cases that can arise when using LATERAL
.
The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)
SERIALIZABLE
isolation mode (Thomas Munro)Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.
This oversight could lead to update or delete actions in READ COMMITTED
isolation mode getting performed when they should have been skipped because of a conflicting concurrent update.
When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.
If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.
UPDATE
queries with triggers (Tomas Vondra)jsonpath
's datetime()
method (Tom Lane)pg_hba.conf
and pg_ident.conf
(Tom Lane)The previous limit of 256 bytes has been found insufficient for some use-cases.
Faulty loop logic could cause some entries to be skipped.
If JIT is in use, running out of memory in a C++ new
call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.
plancache.c
(Tom Lane)Ensure that the segment is moved into the appropriate “bin” for its new amount of free space, so that it will be found by subsequent searches.
VACUUM
to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX
will fix the broken index, but preventing VACUUM
from completing until that is done risks making matters far worse.
WrapLimitsVacuumLock
is released after VACUUM
detects invalid data in pg_database
.datfrozenxid
or pg_database
.datminmxid
(Andres Freund)Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.
After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held” in the startup process.
fsync
'ed at the next checkpoint (Heikki Linnakangas)Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file” errors.
While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.
Treat this case as plain end-of-WAL to avoid logging inaccurate complaints from pg_waldump and walsender.
jsonpath
code (David Rowley)This assertion failed if a query applied the .type()
operator to a like_regex
result. There was no bug in non-assert builds.
stats_fetch_consistency
setting is changed intra-transaction (Kyotaro Horiguchi)contrib/fuzzystrmatch
's Soundex difference()
function to handle empty input sanely (Alexander Lakhin, Tom Lane)An input string containing no alphabetic characters resulted in unpredictable output.
contrib/hstore
input (Evan Jones)In some cases, characters would be falsely recognized as whitespace and hence discarded.
contrib/intarray
's gist__int_ops
index opclass (Ankit Kumar Pandey, Alexander Lakhin)Previously this code would report a NOTICE
but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.
contrib/intarray
(Konstantin Knizhnik, Matthias van de Meent, Tom Lane)contrib/pageinspect
's gist_page_items()
function to work when there are included index columns (Alexander Lakhin, Michael Paquier)Previously, if the index has included columns, gist_page_items()
would fail to display those values on index leaf pages, or crash outright on non-leaf pages.
PSQL_WATCH_PAGER
environment variable when stdin/stdout are not a terminal (Tom Lane)This corresponds to the treatment of PSQL_PAGER
in commands besides \watch
.
Such cases can arise from GROUP BY
and ON CONFLICT
clauses, for example. The function must then be postponed until after the unique index in the dump output, but pg_dump did not do that and instead printed a warning about “could not resolve dependency loop”.
pg_index
.indisreplident
is kept up-to-date in relation cache entries (Shruthi Gowda)This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.
This restriction guards against SQL-injection hazards for trusted extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417)
Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.
This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX
any BRIN indexes that may be used to search for nulls.
DROP DATABASE
is interrupted (Andres Freund)If DROP DATABASE
was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database
row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE
.
If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.
ALTER TABLE ATTACH PARTITION
(Michael Paquier)Such an index will now be ignored, and a new child index created instead.
The update of the index's pg_index
entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple” error.
ALTER EXTENSION SET SCHEMA
to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.
This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.
Applying Memoize to a sub-plan that contains volatile filter conditions is likely to lead to wrong answers. The check to avoid doing this missed some cases that can arise when using LATERAL
.
The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)
SERIALIZABLE
isolation mode (Thomas Munro)Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.
This oversight could lead to update or delete actions in READ COMMITTED
isolation mode getting performed when they should have been skipped because of a conflicting concurrent update.
When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.
If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.
UPDATE
queries with triggers (Tomas Vondra)jsonpath
's datetime()
method (Tom Lane)pg_hba.conf
and pg_ident.conf
(Tom Lane)The previous limit of 256 bytes has been found insufficient for some use-cases.
If JIT is in use, running out of memory in a C++ new
call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.
plancache.c
(Tom Lane)Ensure that the segment is moved into the appropriate “bin” for its new amount of free space, so that it will be found by subsequent searches.
VACUUM
to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX
will fix the broken index, but preventing VACUUM
from completing until that is done risks making matters far worse.
WrapLimitsVacuumLock
is released after VACUUM
detects invalid data in pg_database
.datfrozenxid
or pg_database
.datminmxid
(Andres Freund)Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.
After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held” in the startup process.
If any required two-phase transactions were logged in the most recent (partial) log segment, promotion would fail with an incorrect complaint about “requested WAL segment has already been removed”.
fsync
'ed at the next checkpoint (Heikki Linnakangas)Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file” errors.
While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.
This could result in unnecessary delays of checkpoints, or in assertion failures in assert-enabled builds.
jsonpath
code (David Rowley)This assertion failed if a query applied the .type()
operator to a like_regex
result. There was no bug in non-assert builds.
contrib/fuzzystrmatch
's Soundex difference()
function to handle empty input sanely (Alexander Lakhin, Tom Lane)An input string containing no alphabetic characters resulted in unpredictable output.
contrib/hstore
input (Evan Jones)In some cases, characters would be falsely recognized as whitespace and hence discarded.
contrib/intarray
's gist__int_ops
index opclass (Ankit Kumar Pandey, Alexander Lakhin)Previously this code would report a NOTICE
but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.
contrib/intarray
(Konstantin Knizhnik, Matthias van de Meent, Tom Lane)contrib/pageinspect
's gist_page_items()
function to work when there are included index columns (Alexander Lakhin, Michael Paquier)Previously, if the index has included columns, gist_page_items()
would fail to display those values on index leaf pages, or crash outright on non-leaf pages.
Such cases can arise from GROUP BY
and ON CONFLICT
clauses, for example. The function must then be postponed until after the unique index in the dump output, but pg_dump did not do that and instead printed a warning about “could not resolve dependency loop”.
pg_index
.indisreplident
is kept up-to-date in relation cache entries (Shruthi Gowda)This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.
Redis 7.2.0
Upgrade urgency LOW: This is the first stable Release for Redis 7.2.
Bug Fixes:
unknown-endpoint
(#12273)Fixes for issues in previous releases of Redis 7.2:
d12d10c (0.40) Update to OpenSSL 1.1.1v Peter Shipton #17896
67512b5 (0.40) Update OpenSSL to the 1.1.1 July 19 CVE level Peter Shipton #17836
18fb6d1 (0.40) Use jdk19 to build jdk20 Peter Shipton #17834
b681a67 (0.40) Exclude cmdLineTester_CryptoTest in FIPS mode Paritosh Kumar #17777
ac8c50c (v0.40.0-release) j9gc_createJavaLangString protects string objects across GC points Jason Feng #17747
7319b8d (0.40) Split sanity.openjdk into 3 parallel jobs Lan Xia #17705
6eed053 (v0.40.0-release) CRIU tests pass if the original thread IDs can't be acquired Jason Feng #17702
c5b1658 (0.40) Modify the translated PII files in nls folder 20230627 Dong Chen #17687
26d65ac Change API used for computing code cache size in low memory environments (0.40.0) Marius Pirvu #17682
4dd1080 (v0.40.0-release) CRIU tests require only one Pre-checkpoint message Jason Feng #17669
e116b33 (v0.40.0-release) CRIU skips clearInetAddressCache() if InetAddress is not initialized Jason Feng #17670
e13741a (0.40) Add missed check for compressed string Dmitri Pivkine #17661
558f239 (0.40) CRIU GC: Flush and Reset Buffers on Reinit Salman Rana #17653
c50c466 (0.40) Add checkpoint delay when clinit is occuring Tobi Ajila #17652
8b4420c (v0.40.0)Use debug interpreter unconditionally when debug is enabled … Mike Zhang #17627
efe6ee2 (v0.40.0-release) CRIU throws JVMCRIUException in single threaded mode if parks no timeout Jason Feng #17639
2684cbb (0.40) Update Split List Forced Flag + Revert CRIU Thread Count Reinit Salman Rana #17644
970c9be (0.40) GC CRIU: Reinit HeapRegionDescriptorExtensions (Region Obj Lists) Salman Rana #17645
71eab61 (0.40) Avoid generating store of uninitialized auto when reducing TRT2 Devin Papineau #17605
b5af32b [0.40] Add NLS message: J9NLS_PORT_RUNNING_IN_CONTAINER_FAILURE Babneet Singh #17600
17f2765 (0.40) Fix invalid OMR_PRI* usage on Windows Kevin Grigorenko #17569
c4720f2 [FFI/Jtreg_JDK20] Keep the downcall address alive for downcall (0.40) ChengJin01 #17565
936ec54 (0.40) Modify the translated PII files in nls folder 20230607 Dong Chen #17545
99c5d95 [FFI/Jtreg_JDK20] Validate the downcall address with the scope check (0.40) ChengJin01 #17538
b9cd65e Insert branch around re performing store for awrtbar Rahil Shah #17517
f514560 CRIU skips j9sysinfo_get_username()/getpwuid() if isCheckPointAllowed Jason Feng #17505
0a07503 Put select system property names and values in allocated memory Keith W. Campbell #17407
bedafef Handle new vector opcodes Gita Koblents #17112
60798a3 Revert "Enable EDO during AOT compilation" Peter Shipton #17512
6ed80ce Enable EDO during AOT compilation Christian Despres #17217
3cbf8a0 Bump actions/setup-python from 2.3.3 to 4.6.1 dependabot[bot] #17502
4334ef0 Remove configuration information for Java 19 Keith W. Campbell #17507
42d8c31 Correct return type of JVM_Sleep() Keith W. Campbell #17504
c005819 Expand bytecode offset variables to 32bit Kevin Langman #17469
91c8570 Fix array constructor for Object Lists Aleksandar Micic #17503
283b706 Set LIGHT_WEIGHT_CHECKOUT to true Lan Xia #17497
423823f Correct SPDX license identifiers Jason Feng #17494
b087017 Correct SPDX license identifier Dmitri Pivkine #17489
dd16eba CRIU JDK11UpTimeoutAdjustmentTest adjusts for thread starting Jason Feng #17473
9797bca Rework RegionExtenstion/Object List Initialization Salman Rana #17461
69d50bc Bump actions/github-script from 3.2.0 to 6.4.1 dependabot[bot] #17481
ba2ccc1 Bump actions/checkout from 2.7.0 to 3.5.2 dependabot[bot] #17482
914adf4 Bump adoptium/run-aqa from 1.0.8 to 2.0.1 dependabot[bot] #17483
54a776f Bump peter-evans/create-pull-request from 3.14.0 to 5.0.1 dependabot[bot] #17480
013e44d Bump actions/upload-artifact from 2.3.1 to 3.1.2 dependabot[bot] #17484
ff98e55 [StepSecurity] Apply security best practices StepSecurity Bot #17477
b58a15e Call static method VM.getVMArgs() from JNI as a static method Peter Shipton #17475
f98cb31 Update openssl to version 1.1.1u Keith W. Campbell #17468
3e340db Disable FFI specific code for compilation in JDK21 ChengJin01 #17352
6aab183 Add/update java.specification.maintenance.version Keith W. Campbell #17470
c7ac2f7 Correct SPDX license identifiers Keith W. Campbell #17435
3b029b0 Add support for persistent SCC on z/OS Hang Shao #17073
f988e15 Set symbol declared class for field shadows Devin Papineau #17327
623c7ba Adding helper functions for crc32 special routines to enable optimizations in AOT Bhavani SN #17453
1b94cba Handle code cache alloction for low memory SajinaKandy #17425
12286f5 CRIU restore clears InetAddress.cache Jason Feng #17448
ec0eb13 Add the unimplemented assertion to Thread.findScopedValueBindings() Gengchen Tuo #17451
3bacb5a Add CH Table AOT Feature Flag Irwin D'Souza #17260
4bb727b Place fatal asserts in FE queries that JITServer should not call Marius Pirvu #17355
18f6869 Simplify callMustBeInlinedRegardlessOfSize calls James You #17406
1220e36 Use genLoadProfiledClassAddressConstant in Z codegen Spencer Comin #14932
37e239e Revert "Sync JVM init and exit paths" Babneet Singh #17438
de38712 Fix bug related to J9::Options::_compilationDelayTime unit Marius Pirvu #17436
3ca50dc Fix compile error due to unused variable Keith W. Campbell #17434
7d5d62a Correctly handle primitive VTs in System.arraycopy Ehren Julien-Neitzert #17048
3fbe09e Add areFlattenableValueTypesEnabled() for JIT Hang Shao #17413
22b17b8 [Jtreg/FFI] Remove the null segment check for pointer ChengJin01 #17408
826d49a (0.39) Prototype Continuation caching Babneet Singh #17409
e4a741f Add new optimization catchBlockProfiler Marius Pirvu #16854
b182f7a Add 31-64 interop support for JVM_ funcs for JDK17+ Joran Siu #17369
9667d83 Add new build flag to split value object feature from Valhalla Hang Shao #17394
a555ad2 WIP: Teach ValueTypeUnsafeTests about dual header shape Shubham Verma #17375
cb36d2d Sync JVM init and exit paths Babneet Singh #17101
d41eba9 Fix handling of IPv6 addressed Keith W. Campbell #17403
c9ea68f Enable CRC32 to run with AOT enabled on Power Bhavani SN #17243
8800e58 Patch addresses in LLILF/IIHF pairs on class unload and HCR Spencer Comin #15705
0ef06f4 Use TRUE instead of true calling freeContinuation() Babneet Singh #17398
8aa8676 Prototype Continuation caching Jack Lu #17344
09a3602 DDR: Fix function call parsing in StackMap Devin Nakamura #17278
b5c39bf Return false from JVM_DTraceIsSupported Peter Shipton #17391
1cbe6d1 Add missing value type check before zero the lockword Hang Shao #17381
8e3bb68 [FFI/JDK20_Jtreg] Handle the invalid arguments & return value ChengJin01 #17308
7806354 Provide a better error message for failed library loads on jdk17+ Peter Shipton #17374
3e7e8f9 Fix to handle suspend/resume of virtual/carrier threads Dipak Bagadiya #17350
45ed10a Fix typo in JDK11 build instructions James You #17373
575cae3 Remove unnecessary compatibility constant J9DescriptionCpTypeShift Keith W. Campbell #17376
ae2bda7 Throw UnsupportedOperationException in sun.misc.Perf.attach natives Peter Shipton #17380
ba48d1f Refactor GC Object List Allocation/Initialization Salman Rana #17330
7aa3fb8 Introduce GC CRIU (reinit) API for Thread Local Obj Buffers / Env Delegate Salman Rana #17348
0d24025 Remove obsolete references to freetype in jdk8 build instructions Peter Shipton #17379
9f19595 Define J9ClassEnv::primitiveArrayComponentType() Devin Papineau #17274
400ef3e Fix constant mapping in J9ConstantPoolCommand Jack Lu #17371
61cabd5 Support offloading for jdk17+ Peter Shipton #17306
899eedf Ensure JITServer tests check if server exists Irwin D'Souza #17363
663c581 Correct condition for preparing offloading library Keith W. Campbell #17370
7815549 Close VM and thread libraries on successful DestroyJavaVM Graham Chapman #17336
b3ac5be Correct types for min, length in memory segment objects Keith W. Campbell #17275
e698b8f Revert "Restore @OverRide annotation for Access.getLoaderNameID()" Peter Shipton #17361
36f6357 Implement JVM_VirtualThreadHideFrames() Gengchen Tuo #16654
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Zookeeper 3.9.0
Bugs:
ZOOKEEPER-2108 - Compilation error in ZkAdaptor.cc with GCC 4.7 or later
ZOOKEEPER-3652 - Improper synchronization in ClientCnxn
ZOOKEEPER-3908 - zktreeutil multiple issues
ZOOKEEPER-3996 - Flaky test: ReadOnlyModeTest.testConnectionEvents
ZOOKEEPER-4026 - CREATE2 requests embeded in a MULTI request only get a regular CREATE response
ZOOKEEPER-4296 - NullPointerException when ClientCnxnSocketNetty is closed without being opened
ZOOKEEPER-4308 - Flaky test: EagerACLFilterTest.testSetDataFail
ZOOKEEPER-4393 - Problem to connect to zookeeper in FIPS mode
ZOOKEEPER-4466 - Support different watch modes on same path
ZOOKEEPER-4471 - Remove WatcherType.Children break persistent watcher's child events
ZOOKEEPER-4473 - zooInspector create root node fail with path validate
ZOOKEEPER-4475 - Persistent recursive watcher got NodeChildrenChanged event
ZOOKEEPER-4477 - Single Kerberos ticket renewal failure can prevent all future renewals since Java 9
ZOOKEEPER-4504 - ZKUtil#deleteRecursive causing deadlock in HDFS HA functionality
ZOOKEEPER-4505 - CVE-2020-36518 - Upgrade jackson databind to 2.13.2.1
ZOOKEEPER-4511 - Flaky test: FileTxnSnapLogMetricsTest.testFileTxnSnapLogMetrics
ZOOKEEPER-4514 - ClientCnxnSocketNetty throwing NPE
ZOOKEEPER-4515 - ZK Cli quit command always logs error
ZOOKEEPER-4537 - Race between SyncThread and CommitProcessor thread
ZOOKEEPER-4549 - ProviderRegistry may be repeatedly initialized
ZOOKEEPER-4565 - Config watch path get truncated abnormally and fail chroot zookeeper client
ZOOKEEPER-4647 - Tests don't pass on JDK20 because we try to mock InetAddress
ZOOKEEPER-4654 - Fix C client test compilation error in Util.cc.
ZOOKEEPER-4674 - C client tests don't pass on CI
ZOOKEEPER-4719 - Use bouncycastle jdk18on instead of jdk15on
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1
New Features:
ZOOKEEPER-4570 - Admin server API for taking snapshot and stream out the data
ZOOKEEPER-4655 - Communicate the Zxid that triggered a WatchEvent to fire
Improvements:
ZOOKEEPER-3731 - Disable HTTP TRACE Method
ZOOKEEPER-3806 - TLS - dynamic loading for client trust/key store
ZOOKEEPER-3860 - Avoid reverse DNS lookup for hostname verification when hostnames are provided in the connection url
ZOOKEEPER-4289 - Reduce the performance impact of Prometheus metrics
ZOOKEEPER-4303 - ZooKeeperServerEmbedded could auto-assign and expose ports
ZOOKEEPER-4464 - zooinspector display "Ephemeral Owner" in hex for easy match to jmx session
ZOOKEEPER-4467 - Missing op code (addWatch) in Request.op2String
ZOOKEEPER-4472 - Support persistent watchers removing individually
ZOOKEEPER-4474 - ZooDefs.opNames is unused
ZOOKEEPER-4490 - Publish Clover results to SonarQube
ZOOKEEPER-4491 - Adding SSL support to Zktreeutil
ZOOKEEPER-4492 - Merge readOnly field into ConnectRequest and Response
ZOOKEEPER-4494 - Fix error message format
ZOOKEEPER-4518 - remove useless log in the PrepRequestProcessor#pRequest method
ZOOKEEPER-4519 - Testable interface should have a testableCloseSocket() method
ZOOKEEPER-4529 - Upgrade netty to 4.1.76.Final
ZOOKEEPER-4531 - Revert Netty TCNative change
ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection
ZOOKEEPER-4566 - Create tool for recursive snapshot analysis
ZOOKEEPER-4573 - Encapsulate request bytebuffer in Request
ZOOKEEPER-4575 - ZooKeeperServer#processPacket take record instead of bytes
ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs
ZOOKEEPER-4622 - Add Netty-TcNative OpenSSL Support
ZOOKEEPER-4636 - Fix zkServer.sh for AIX
ZOOKEEPER-4657 - Publish SBOM artifacts
ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533
ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
ZOOKEEPER-4661 - Upgrade Jackson Databind to 2.13.4.2 for CVE-2022-42003 CVE-2022-42004
ZOOKEEPER-4705 - Restrict GitHub merge button to allow squash commit only
ZOOKEEPER-4717 - Cache serialize data in the request to avoid repeat serialize.
ZOOKEEPER-4718 - Removing unnecessary heap memory allocation in serialization can help reduce GC pressure.
Gitlab Community 16.2.2
Added (1 change):
Add MR reviewers to BitBucketServer import to 16-2
Fixed (2 changes):
Disable IAT verification by default
Enable descendant_security_scans by default GitLab Enterprise Edition
Security (17 changes):
Fix undefined method licenses for nil:NilClass bug (merge request)
Fix undefined method page error in list dependencies (merge request)
Add pagination for license scanning (merge request)
Prevent leaking emails of newly created users (merge request)
Added redirect to filtered params (merge request)
Relocate PlantUML config and disable SVG support (merge request)
Sanitize multiple hardlinks from import archives (merge request)
Validates project path availability (merge request)
Fix policy project assign (merge request)
Fix bug where comments on files with incorrect sha breaks UI (merge request)
Fix pipeline schedule authorization for protected branch/tag (merge request)
Mitigate autolink filter ReDOS (merge request)
Fix XSS vector in Web IDE (merge request)
Mitigate project reference filter ReDOS (merge request)
Add a stricter regex for the Harbor search param (merge request)
Update pipeline user to the last policy MR author (merge request)
Prohibit 40 character hex plus a hyphen if branch name is path (merge request)
Jenkins 2.417
* Small optimization in computer list.
* Remove the treeview option for artifactList.
* Remove a workaround that was only necessary for OpenJDK 11.0.16 and earlier.
* Use new jenkins-button styling for 'expandableTextbox' button.
* Log agent usage by job.
* Make tab panes accessible via keyboard.
* RPM users with a custom log directory no longer have a logrotate(8) configuration out-of-the-box. (RPM Remove System V initialization script)
* Add allow-same-origin to the sandbox ContentSecurityPolicy directive of workspace and artifact browsers if the Resource Root URL feature is not used. Allow requests to resources like stylesheets and images, even if a reverse proxy prohibits cross-site requests.
* Add the X-Content-Type-Options HTTP header to the response from the agent listener. Silence security scanners that incorrectly report an issue when the HTTP header is missing.
* Only disable the plugin manager "install" button if no plugins are selected (regression in 2.414).
MongoDB 7.0 (Upcoming)
General Changes:
*Cache Refresh Time Fields
* Compound Wildcard Indexes
* Large Change Stream Events
* Store Application Data on Config Shards
* User Roles System Variable
* New Sharding Statistics for Chunk Migrations
* New Slow Query Log Message
* New Parameters
Security:
* Queryable Encryption General Availability
* KMIP 1.0 and 1.1 Support
* Backward-Incompatible Feature
MySQL 8.1
Account Management Notes
Audit Log Notes
Binary Logging
C API Notes
Compilation Notes
Component Notes
Deprecation and Removal Notes
IPv6 Support
Logging Notes
Performance Schema Notes
Spatial Data Support
SQL Syntax Notes
Functionality Added or Changed
Bugs Fixed
Ansible AWX 22.6.0
*Refined release documentation
*Restore pre-upgrade pg_notify notifcation behavior
*Add organization column notification template list
*HostMetricSummaryMonthly command + scheduled task
*Upgrade django to 4.2.3
*Migrate from django-redis to Django's built-in Redis caching support
*Tell Makefile and pre-commit.sh that they are bash
*Allow job_template collection module to set verbosity to 5
*Changing how associations work in awx collection
*Make dispatcher timeout use SIGUSR1, not SIGTERM
*Small doc fixes for workflow and task manager
*Wrap Django RedisCache to mute exceptions
*Require pyyaml >= 6.0.1
*Only push the production images for main repo
*Remove License fields when SUBSCRIPTION_USAGE_MODEL is blank
*Fix collection module docs for names, IDs, and named URLs
*Remove host update code which can be non performant
*Updating release process doc for operator hub instructions
*Add missing trigger for failed-to-start nodes
*Re-enable chdir to project sync to support project-local roles/coll…
*Add a link to EE getting started guide
*Explicitly turn off autocomplete for API login form
*Fix docs link for controller versions >= 4.3
*Only show the product version header when the requester is authenticated
*Add support to collection for named urls
*Simplifications for DependencyManager
*Fix dependencies tag in PR labeler
*Adds autoComplete attribute to forms that were missing it
*Drop unused django-taggit dependency
Strimzi 0.36.1
Important: Strimzi 0.36.1 supports only Kubernetes 1.21 and newer! Kubernetes versions 1.19 and 1.20 are not supported anymore since Strimzi 0.36.
Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!
*Support for Apache Kafka 3.5.1.
*Fix Grafana Dashboards in the Helm Chart.
*Fix issues with 2-node ZooKeeper deployment.
*Documentation fixes.
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability.
As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Cassandra 4.1.3
New Feature:
* Add a virtual table that exposes currently running queries (CASSANDRA-15241)
Merged from 4.0:
* Revert CASSANDRA-16718 (CASSANDRA-18560)
* Upgrade snappy to 1.1.10.1 (CASSANDRA-18608)
* Fix assertion error when describing mv as table (CASSANDRA-18596)
* Track the amount of read data per row (CASSANDRA-18513)
* Fix Down nodes counter in nodetool describecluster (CASSANDRA-18512)
* Remove unnecessary shuffling of GossipDigests in Gossiper#makeRandomGossipDigest (CASSANDRA-18546)
Merged from 3.11:
* Moved jflex from runtime to build dependencies (CASSANDRA-18664)
* Fix CAST function for float to decimal (CASSANDRA-18647)
* Suppress CVE-2022-45688 (CASSANDRA-18643)
* Remove unrepaired SSTables from garbage collection when only_purge_repaired_tombstones is true (CASSANDRA-14204)
* Wait for live endpoints in gossip waiting to settle (CASSANDRA-18543)
* Fix error message handling when trying to use CLUSTERING ORDER with non-clustering column (CASSANDRA-17818
* Add keyspace and table name to exception message during ColumnSubselection deserialization (CASSANDRA-18346)
Merged from 3.0:
* Suppress CVE-2023-34462 (CASSANDRA-18649)
* Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)
* Suppress CVE-2023-35116 (CASSANDRA-18630)
* Pass taskId from CompactionTask to system.compaction_history (CASSANDRA-12183)
* Backport CASSANDRA-10508: Remove hard-coded SSL cipher suites (CASSANDRA-18575)
* Suppress CVE-2023-2976 (CASSANDRA-18562)
* Remove dh_python use in Debian packaging (CASSANDRA-18558)
Elastic Search 8.9.0
Known Issues
Breaking Changes
Aggregations:
Bug Fixes
Allocation:
Authorization:
CRUD:
Cluster Coordination:
Data streams:
Geo:
ILM+SLM:
Infra/CLI:
Infra/Core:
Infra/Logging:
Infra/REST API:
Infra/Scripting:
Infra/Settings:
Ingest Node:
Machine Learning:
Mapping:
Ranking:
Recovery:
Search:
Snapshot/Restore:
TSDB:
Task Management:
Transform:
Enhancements
Aggregations:
Allocation:
Analysis:
Application:
Authentication:
Authorization:
Autoscaling:
DLM:
Data streams:
Engine:
Geo:
ILM+SLM:
Indices APIs:
Infra/Node Lifecycle:
Ingest Node:
Machine Learning:
Mapping:
Ranking:
Recovery:
Search:
Security:
Snapshot/Restore:
Stats:
TSDB:
Vector Search
New Features
Application:
Authorization:
Data streams:
Geo:
ILM+SLM:
Infra/Node Lifecycle:
Infra/Plugins:
Machine Learning:
Snapshot/Restore:
Stats:
Upgrades
Infra/Transport API:
Network:
Search:
Grafana 10.0.3
Features and Enhancements:
*Alerting: Sort NumberCaptureValues in EvaluationString.
*Alerting: No longer silence paused alerts during legacy migration.
*Auth: Add support for custom signing keys in auth.azure_ad.
*Chore: Upgrade Go to 1.20.6.
*Auth: Remove ldap init sync. (Enterprise)
*Chore: Upgrade Go to 1.20.6. (Enterprise)
Bug Fixes:
*Alerting: Fix edit / view of webhook contact point when no authorization is set.
*AzureMonitor: Set timespan in Logs Portal URL link.
*Plugins: Only configure plugin proxy transport once.
*Elasticsearch: Fix multiple max depth flatten of multi-level objects.
*Elasticsearch: Fix histogram colors in backend mode.
*Alerting: Fix state in expressions footer.
*AppChromeService: Fixes update to breadcrumb parent URL.
*Elasticsearch: Fix using multiple indexes with comma separated string.
*Alerting: Fix Alertmanager change detection for receivers with secure settings.
*Transformations: Fix extractFields throwing Error if one value is undefined or null.
*XYChart: Point size editor should reflect correct default (5).
*Annotations: Fix database lock while updating annotations.
*TimePicker: Fix issue with previous fiscal quarter not parsing correctly.
*AzureMonitor: Correctly build multi-resource queries for Application Insights components.
*AzureMonitor: Fix metric names for multi-resources.
*Logs: Do not insert log-line into log-fields in json download.
*Loki: Fix wrong query expression with inline comments.
*License: Enable FeatureUserLimit for all products. (Enterprise)
Jenkins 2.416
*Community reported issues: 1×JENKINS-71699
*Replace browser confirm with modal dialogs in many places.
*Add last build status to job page.
*Remove the rebuild plugin from the setup wizard plugin selection.
*Estimate project duration accurately in more cases (regression in 2.407).
*Developer: API for alert, confirm, prompt, modal and form dialogs
*Remove long deprecated hudson.util.IOUtils#DIR_SEPARATOR, hudson.util.IOUtils#DIR_SEPARATOR_WINDOWS, hudson.util.IOUtils#DIR_SEPARATOR_UNIX, hudson.util.IOUtils#LINE_SEPARATOR, hudson.util.IOUtils#LINE_SEPARATOR_WINDOWS, and hudson.util.IOUtils#LINE_SEPARATOR_UNIX which are available from org.apache.commons.io.IOUtils.
Kibana 8.9.0
Breaking Changes
Deprecations
Features
APM:
Fleet:
Lens & Visualizations:
Observability:
Security:
Logstash 8.9.0
Notable Issues Fixed:
Updates to dependencies:
Plugins:
Azure_event_hubs Input - 1.4.5
Beats Input - 6.6.3
Http Input - 3.7.2
Snmp Input - 1.3.2
Tcp Input - 6.3.5
Tcp Output - 6.1.2
Prometheus 2.46.0
[FEATURE] Promtool: Add PromQL format and label matcher set/delete commands to promtool.
[FEATURE] Promtool: Add push metrics command.
[ENHANCEMENT] Promtool: Read from stdin if no filenames are provided in check rules.
[ENHANCEMENT] Hetzner SD: Support larger ID's that will be used by Hetzner in September.
[ENHANCEMENT] Kubernetes SD: Add more labels for endpointslice and endpoints role.
[ENHANCEMENT] Kubernetes SD: Do not add pods to target group if the PodIP status is not set.
[ENHANCEMENT] OpenStack SD: Include instance image ID in labels.
[ENHANCEMENT] Remote Write receiver: Validate the metric names and labels.
[ENHANCEMENT] Web: Initialize prometheus_http_requests_total metrics with code label set to 200.
[ENHANCEMENT] TSDB: Add Zstandard compression option for wlog.
[ENHANCEMENT] TSDB: Support native histograms in snapshot on shutdown.
[ENHANCEMENT] Labels: Avoid compiling regexes that are literal.
[BUGFIX] Histograms: Fix parsing of float histograms without zero bucket.
[BUGFIX] Histograms: Fix scraping native and classic histograms missing some histograms.
[BUGFIX] Histograms: Enable ingestion of multiple exemplars per sample.
[BUGFIX] File SD: Fix path handling in File-SD watcher to allow directory monitoring on Windows.
[BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid overflows on 386 architecture.
[BUGFIX] PromQL Engine: Include query parsing in active-query tracking.
[BUGFIX] TSDB: Handle TOC parsing failures.
Gitlab 16.2.1
Fixed (1 change)
*Fix crash when LDAP CA file set outside tls_options
This week, read about:
Cassandra 4.0.11
* Revert CASSANDRA-16718 (CASSANDRA-18560)
* Upgrade snappy to 1.1.10.1 (CASSANDRA-18608)
* Fix assertion error when describing mv as table (CASSANDRA-18596)
* Track the amount of read data per row (CASSANDRA-18513)
* Fix Down nodes counter in nodetool describecluster (CASSANDRA-18512)
* Remove unnecessary shuffling of GossipDigests in Gossiper#makeRandomGossipDigest (CASSANDRA-18546)
Merged from 3.11:
* Fix CAST function for float to decimal (CASSANDRA-18647)
* Suppress CVE-2022-45688 (CASSANDRA-18643)
* Remove unrepaired SSTables from garbage collection when only_purge_repaired_tombstones is true (CASSANDRA-14204)
* Wait for live endpoints in gossip waiting to settle (CASSANDRA-18543)
* Fix error message handling when trying to use CLUSTERING ORDER with non-clustering column (CASSANDRA-17818
* Add keyspace and table name to exception message during ColumnSubselection deserialization (CASSANDRA-18346)
Merged from 3.0:
* Suppress CVE-2023-34462 (CASSANDRA-18649)
* Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)
* Suppress CVE-2023-35116 (CASSANDRA-18630)
* Pass taskId from CompactionTask to system.compaction_history (CASSANDRA-12183)
* Backport CASSANDRA-10508: Remove hard-coded SSL cipher suites (CASSANDRA-18575)
* Suppress CVE-2023-2976 (CASSANDRA-18562)
* Remove dh_python use in Debian packaging (CASSANDRA-18558)
Kafka 3.5.1
Improvement:
[KAFKA-15159] - Update minor dependencies in preparation for 3.5.1
Bug:
[KAFKA-15053] - Regression for security.protocol validation starting from 3.3.0
[KAFKA-15080] - Fetcher's lag never set when partition is idle
[KAFKA-15096] - CVE 2023-34455 - Vulnerability identified with Apache kafka
[KAFKA-15098] - KRaft migration does not proceed and broker dies if authorizer.class.name is set
[KAFKA-15114] - StorageTool help specifies user as parameter not name
[KAFKA-15137] - Don't log the entire request in KRaftControllerChannelManager
[KAFKA-15145] - AbstractWorkerSourceTask re-processes records filtered out by SMTs on retriable exceptions
[KAFKA-15149] - Fix not sending UMR and LISR RPCs in dual-write mode when there are new partitions
Artemis 2.30.0
ARTEMIS-4184 - Bridges with concurrency not checked/cleared properly on config reload.
ARTEMIS-4354 - Update the recovery XAResource underlying session.
ARTEMIS-4310 - Smaller Container / Dockerfile based on Alpine.
ARTEMIS-4366 - Addresses with multiple subscriptions are not working with Mirroring.
ARTEMIS-4368 - ensure predictable order of subjects for accurate logging.
ARTEMIS-4365 - MQTT retain flag not set correctly.
ARTEMIS-4364 - Upgrade johnzon version to 1.2.21.
ARTEMIS-4356 - address match with wildcards seems to be broken.
ARTEMIS-4354 - Update the recovery XAResource underlying session.
ARTEMIS-4351 - unnecessary web console logging on impatient jolokia client.
ARTEMIS-4338 - STOMP inoperable w/resource audit logging enabled.
ARTEMIS-4328 - Test can hang indefinitely.
ARTEMIS-4322 - BundleFactory should use PrivilegedAction.
ARTEMIS-4319 - Mitigate NPE in paging log statement.
ARTEMIS-4315 - Incorrect validation for page-limit settings.
ARTEMIS-4095 - OpenWire clients are unable to consume from mutlicast queue after 2nd paging
Zookeeper 3.9.0
ZOOKEEPER-4718 - Removing unnecessary heap memory allocation in serialization can help reduce GC pressure.
ZOOKEEPER-4719 - Use bouncycastle jdk18on instead of jdk15on.
ZOOKEEPER-4717 - Cache serialize data in the request to avoid repeat serialize.
ZOOKEEPER-4674 - C client tests don't pass on CI
ZOOKEEPER-4599 - Upgrade Jetty to avoid CVE-2022-2048.
ZOOKEEPER-4565 - Config watch path get truncated abnormally and fail chroot zookeeper client.
ZOOKEEPER-4549 - ProviderRegistry may be repeatedly initialized.
ZOOKEEPER-4537 - Race between SyncThread and CommitProcessor thread.
ZOOKEEPER-4514 - ClientCnxnSocketNetty throwing NPE.
ZOOKEEPER-4505 - CVE-2020-36518 - Upgrade jackson databind to 2.13.2.1
ZOOKEEPER-4504 - ZKUtil#deleteRecursive causing deadlock in HDFS HA functionality.
ZOOKEEPER-4494 - Fix error message format.
ZOOKEEPER-4492 - Merge readOnly field into ConnectRequest and Response.
ZOOKEEPER-4491 - Adding SSL support to Zktreeutil.
ZOOKEEPER-4477 - Single Kerberos ticket renewal failure can prevent all future renewals since Java 9.
ZOOKEEPER-4475 - Persistent recursive watcher got NodeChildrenChanged event.
ZOOKEEPER-4472 - Support persistent watchers removing individually.
ZOOKEEPER-4393 - Problem to connect to zookeeper in FIPS mode.
ZOOKEEPER-4296 - NullPointerException when ClientCnxnSocketNetty is closed without being opened.
ZOOKEEPER-4289 - Reduce the performance impact of Prometheus metrics.
ZOOKEEPER-4026 - CREATE2 requests embeded in a MULTI request only get a regular CREATE response.
ZOOKEEPER-3806 - TLS - dynamic loading for client trust/key store.
ZOOKEEPER-3860 - Avoid reverse DNS lookup for hostname verification when hostnames are provided in the connection url.
ZOOKEEPER-3652 - Improper synchronization in ClientCnxn.
ZOOKEEPER-2108 - Compilation error in ZkAdaptor.cc with GCC 4.7 or later.
Docker Compose 2.20.2
Bug Fixes and Enhancements:
*Added support for the depends_on.required attribute.
*Fixed an issue where build tries to push unnamed service images.
*Fixed a bug which meant the target secret path on Windows was not checked.
*Fixed a bug resolving build context path for services using extends.file.
Wildfly 29.0.0
New and Notable:
During the WildFly 29 development cycle the WildFly contributors were heavily focused on bug fixing, plus a lot internal housekeeping that needed doing after all the recent work toward Jakarta EE 10. But we do have some new goodies:
Bug Fixes:
[WFLY-8718] - JDBC driver's xa-datasource-class vs. driver-xa-datasource-class-name in the datasources subsystem
[WFLY-11173] - The JPADefinition.DEPLOY_INSTANCE ResourceDefinition is not correct
[WFLY-12019] - Cannot remove a undertow server resource at one time
[WFLY-12631] - Server doesn't start when DNS_PING is configured
[WFLY-14387] - Resource adapters subsystem does not accept expression for wm-security attribute
[WFLY-15358] - PolicyContextTestCase fails once Undertow extension no longer references PicketBox module
[WFLY-15487] - wfly-25 security config missing support for picketbox "auth-module" impl of javax.security.auth.message.module.ClientAuthModule
[WFLY-16013] - Discovery Group can't change from Socket binding to Jgroups cluster.
[WFLY-16042] - WildFly basic tests started to fail on IBM JDK11
[WFLY-16528] - JSFDeploymentProcessorTestCase fails with Faces 4
[WFLY-16722] - ContextServiceImpl.getTransactionSetupProvider returns null when use-transaction-setup-provider=true
[WFLY-17016] - todo-backend QS has outdated Readme instructions
[WFLY-17169] - NPE in JSF BeanValidator.validate
[WFLY-17349] - WebJPATestCase intermittently fails
[WFLY-17563] - Restore *module.xml necessary for manual installation of different jsf implementations
[WFLY-17699] - Elytron security tests fail since IBM JDK (IBM Semeru Runtime Certified Edition 11.0.15.0)
[WFLY-17704] - Broken formatting in the Getting Started Developing Applications Guide
[WFLY-17783] - Intermittent failures in ReactiveMessagingKafkaUserApiTestCase
[WFLY-17790] - Remove the org.jboss.as.test.integration.logging.syslogserver package from testsuite/shared
[WFLY-17899] - Asciidoc errors reported during build
[WFLY-17921] - Add missing org.jboss.vfs to RESTEasy Spring deployments
[WFLY-17939] - Update HostExcludesTestCase configuration to work with WF29
[WFLY-17947] - todo-backend Readme OpenShift instructions results in a non-functional QS app
[WFLY-17948] - todo-backend bootable jar Helm chart needs to be updated
[WFLY-17950] - 28.0.0.SP1 Quickstart READMEs refer to 28.0.0.Final tag
[WFLY-17953] - Do not use the JBoss Modules MavenResolver for resolving dependencies in tess
[WFLY-17957] - EJB timer schedule increment 0 should be considered as single value
[WFLY-17959] - OpenTelemetry is complaining about "java.lang.NoClassDefFoundError: sun/misc/Unsafe"
[WFLY-17960] - LRA causes a failure in the ContextPropagationTestCase
[WFLY-17961] - Spurious Micrometer error on shutdown
[WFLY-17962] - Remove the ResteasyBootstrap listener from being registered in the AbstractRTSService
[WFLY-17967] - MicroProfile LRA layer should depend on MicroProfile Config layer
[WFLY-18002] - ExpirationMetaData.isExpired() test does not conform to logic in LocalScheduler
[WFLY-18011] - Add java.base/java.net package to recommended client side JPMS settings
[WFLY-18012] - The JaxrsIntegrationProcessor should not attempt to get the RESTEasy configuration when not a REST deployment.
[WFLY-18014] - Missing EE API license entries from core; wrong Apache license URLs
[WFLY-18021] - ee-security quickstart produce WFLYCTL0212: Duplicate resource
[WFLY-18023] - @SessionScoped EJBs are replicating proxy placeholders unnecessarily
[WFLY-18024] - CacheIdentity and IdentityContainer instances are replicating unnecessarily
[WFLY-18026] - Configuration applied on ServerAdd shouldn't apply runtime changes on boot for the sub resources
[WFLY-18036] - Marshalling optimizations are not getting applied to @SessionScoped @Stateful EJBs
[WFLY-18038] - JGroups transport thread pool configuration is ignored
[WFLY-18040] - EJB: make deployments share client context if only static interceptors are used
[WFLY-18043] - WildFly BOMs don't build after WFLY-18018
[WFLY-18046] - Quickstart Readme minor inconsistencies
[WFLY-18050] - When provisioning additional feature packs together with wildfly's feature pack, the generated license.html is incorrect
[WFLY-18065] - Distributed @SessionScoped @Stateful EJBs require excessive cache transactions per invocation
[WFLY-18066] - ByteBufferMarshalledValue generates duplicate buffers during a single marshalling operation
[WFLY-18068] - Quickstart archive contains redundant files
[WFLY-18069] - Eliminate unnecessary buffer copy when writing an object with known size via ProtoStream
[WFLY-18077] - Dependencies in the http-custom-mechanism should be provided
[WFLY-18078] - Dependencies in the helloworld-ws quickstart should be provided
[WFLY-18080] - Regular failures of FaultToleranceMicrometerIntegrationTestCase
[WFLY-18081] - Custom appclient container yaml configuration with additional Messaging settings should be allowed
[WFLY-18083] - Upgrade to Hibernate ORM 6.2.4.final release
[WFLY-18084] - Galleon layers for micrometer and opentelemetry are not documented.
[WFLY-18089] - Error creating a remote connector using ssl-context
[WFLY-18090] - Update removed jboss.server.deploy.dir with jboss.server.content.dir
[WFLY-18095] - Using affinity=primary-owner with a local-cache throws a ClassCastException
[WFLY-18115] - Opentelemetry sampler-type cannot be configured correctly
[WFLY-18117] - Messaging deployment descriptor doesn't parse entries correctly
[WFLY-18128] - Incorrect licenses for some artifacts
[WFLY-18134] - Angus Activation and Angus Mail should be private modules
[WFLY-18137] - Concurrency TCK failure
[WFLY-18141] - Several clustering-related modules should be private
[WFLY-18150] - DistributableTimerService.getTimers() collection may omit timers during concurrent rescheduling process
[WFLY-18155] - Can't build BOMs after switching Jakarta Faces implementation in WildFly
[WFLY-18157] - Add Jakarta Faces API dep back to BOM
[WFLY-18158] - Oracle JDBC driver deployed as deployment needs dependency on jdk.security.jgss module
[WFLY-18170] - Fix Faces 4.0 TCK failures
[WFLY-18179] - Undertow configuration=handler/filter resource require redundant runtime steps
[WFLY-18191] - Fix Faces 4.0 TCK failures + errors
[WFLY-18196] - Various minor inconsistencies in QS Readme files
[WFLY-18200] - Upgrade to Hibernate ORM 6.2.6.Final release
[WFLY-18202] - WildFly 26-28 document logo url incorrect
[WFLY-18206] - Typo preventing galleon state from being generated
[WFLY-18208] - BouncyCastleModuleTestCase fails with Security Manager enabled
[WFLY-18213] - asciidoctor-maven-plugin attribute sourceHighlighter should be source-highlighter
[WFLY-18224] - ClassNotFoundException thrown when processing enums with annotations
[WFLY-18230] - Several security subsystem resource require redundant runtime steps
[WFLY-18246] - Upgrade jacoco from 0.8.7 to 0.8.10 and fix coverage reporting configuration
[WFLY-18252] - Fix the Hibernate ElasticSearch tests to work with ElasticSearch 8.8.x
[WFLY-18254] - NullPointerException during rebalance
[WFLY-18256] - Line endings in license file are not changed to unix
Jenkins 2.415
*Replace browser confirm with modal dialogs in many places.
*Add last build status to job page.
*Remove the rebuild plugin from the setup wizard plugin selection.
*Estimate project duration accurately in more cases (regression in 2.407).
*Developer: API for alert, confirm, prompt, modal and form dialogs
*Remove long deprecated hudson.util.IOUtils#DIR_SEPARATOR, hudson.util.IOUtils#DIR_SEPARATOR_WINDOWS, hudson.util.IOUtils#DIR_SEPARATOR_UNIX, hudson.util.IOUtils#LINE_SEPARATOR, hudson.util.IOUtils#LINE_SEPARATOR_WINDOWS, and hudson.util.IOUtils#LINE_SEPARATOR_UNIX which are available from org.apache.commons.io.IOUtils.
Keycloak 22.0.1
Enhancements:
#10503 Revisit Pod-Template in Keycloak CR keycloak operator
#15344 Support configurable custom Identity Providers keycloak
#21626 [REG 21->22] Error messages on kc build keycloak dist/quarkus
Bugs:
#17711 Accessibility/Clients List: Minor Issues keycloak admin/ui
#21607 `keycloakCRName` and `realm` are no longer marked as required in KeycloakRealmImport CRD keycloak operator
#21625 Version 22.0.0 not started in dev mode and build mode keycloak dist/quarkus
#21629 Migration for 22.0.0 is missing from the documentation keycloak docs
#21637 Broken links to quickstarts in documentation keycloak docs
#21657 Account V3 Missing translate Refresh keycloak account/ui
#21698 Keycloak is storing error events even if storing events is disabled keycloak storage
#21733 Fixing broken JSON translation files keycloak admin/ui
Kubernetes 1.27.4
Changes by Kind
Feature:
Bug or Regression:
Node.js 20.5.0
Notable Changes:
[45be29d89f] - doc: add atlowChemi to collaborators
[a316808136] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal
[986b46a567] - fs: add a fast-path for readFileSync utf-8
[0ef73ff6f0] - (SEMVER-MINOR) test_runner: add shards support
Commits:
[eb0aba59b8] - bootstrap: use correct descriptor for Symbol.{dispose,asyncDispose}
[e2d0195dcf] - bootstrap: hide experimental web globals with flag kNoBrowserGlobals
[67a1018389] - build: do not pass target toolchain flags to host toolchain
[7d843bb942] - child_process: use addAbortListener
[4e08160f8c] - child_process: support Symbol.dispose
[ef7728bf36] - deps: update nghttp2 to 1.55.1
[1454f02499] - deps: update nghttp2 to 1.55.0
[fa94debf46] - deps: update minimatch to 9.0.3
[c73cfcc144] - deps: update acorn to 8.10.0
[b7a076a052] - deps: V8: cherry-pick cb00db4dba6c
[150e15536b] - deps: upgrade npm to 9.8.0
[c47b2cbd35] - dgram: socket add asyncDispose
[002ce31cca] - dgram: use addAbortListener
[45be29d89f] - doc: add atlowChemi to collaborators
[69b55d2261] - doc: fix ambiguity in http.md and https.md
[caccb051c7] - doc: clarify transform._transform() callback argument logic
[999ae0c8c3] - doc: fix copy node executable in Windows
[7daefaeb44] - doc: drop <b> of v20 changelog
[dd7ea3e1df] - doc: mention git node release prepare
[cc7809df21] - esm: fix emit deprecation on legacy main resolve
[67b13d1dba] - events: fix bug listenerCount don't compare wrapped listener
[a316808136] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal
[986b46a567] - fs: add a fast-path for readFileSync utf-8
[e4333ac41f] - http2: use addAbortListener
[4a0b66e4f9] - http2: send RST code 8 on AbortController signal
[1295c76fce] - lib: use addAbortListener
[dff6c25a36] - meta: bump actions/checkout from 3.5.2 to 3.5.3
[b5cb69ceaa] - meta: bump step-security/harden-runner from 2.4.0 to 2.4.1
[332e480b46] - meta: bump ossf/scorecard-action from 2.1.3 to 2.2.0
[25c5a0aaee] - meta: bump github/codeql-action from 2.3.6 to 2.20.1
[6406f50ab1] - module: add SourceMap.lineLengths
[cfa69bd48c] - net: server add asyncDispose
[ac11264cc5] - net: use addAbortListener
[82d6b13bf6] - permission: add debug log when inserting fs nodes
[f4333b1cdd] - permission: v8.writeHeapSnapshot and process.report
[f691dca6c9] - readline: use addAbortListener
[227e6bd898] - src: pass syscall on fs.readFileSync fail operation
[a9a4b73653] - src: make BaseObject iteration order deterministic
[d99ea4845a] - src: remove kEagerCompile for CompileFunction
[df363d0010] - src: deduplicate X509 getter implementations
[9cf2e1f55b] - src,lib: reducing C++ calls of esm legacy main resolve
[daeb21dde9] - stream: fix deadlock when pipeing to full sink
[5a382d02d6] - stream: use addAbortListener
[6e82077dd4] - test: deflake test-net-throttle
[d378b2c822] - test: move test-net-throttle to parallel
[dfa0aee5bf] - Revert "test: remove test-crypto-keygen flaky designation"
[0ef73ff6f0] - (SEMVER-MINOR) test_runner: add shards support
[e2442bb7ef] - timers: support Symbol.dispose
[4398ade426] - tools: run fetch_deps.py with Python 3
RabbitMQ 3.11.20
Core Server
Bug Fixes:
*Fixed a potential resource leak in at-least-once dead lettering from quorum queues.
CLI Tools
Enhancements:
*A new command, rabbitmqctl deactivate_free_disk_space_monitoring, can be used to (temporarily or permanently) disable
free disk space monitoring on a node.
To re-activate it, use rabbitmqctl activate_free_disk_space_monitoring.
AMQP 1.0 Plugin
Bug Fixes:
*AMQP 1.0 clients that try to publish in a way that results in the message not being routed
anywhere are now notified with a more sensible settlement status.
Prometheus Plugin
Enhancements:
*Prometheus scraping API endpoints now support optional authentication.
*The plugin now filters out values that are undefined or NaN, simply excludingthem from the API endpoint response.Previously, if a metric was not computed for any reason (e.g. free disk space monitor
was disabled on the node), its value could end up being rendered as undefined or NaN,
two values that Prometheus scrapers cannot handle (for numerical types such as gauges).
Management Plugin
Bug Fixes:
*It was not possible to close a table column selection pane on
screens that had little vertical space.
Sonatype Nexus Repository 3.58.1
Bug Fixes:
NEXUS-39766: Docker Subdomain connectors work with nGrok again as expected.
NEXUS-39415: Added logging for and made Rubygems - Generate SHA256 Checksums and Repair - Update attributes for RubyGems tasks configurable via the user interface.
Spring boot 3.1.2
Bug Fixes:
*Native reflection hints missing for nested properties declared in a superclass
*Connecting to Mongo fails with an UnknownHostException when spring.data.mongodb.additional-hosts is configured
*Auto-configured ExemplarSampler bean only backs off when a DefaultExemplarSampler is defined
*OTel Span is missing required attributes #36423
*Auto-configured JacksonJsonpMapper is conditional on an ObjectMapper bean but does not use such a bean
*Application fails to start when @Importing a @ConfigurationProperties class that is eligible for constructor binding
*Only one health group can be exposed using management.endpoint.health.group.xxx.additional-path=server:/newpath when using Jersey
*Mongo auto-configuration fails when username or password properties contains a colon (:) or at-sign (@)
*MockitoPostProcessor doesn't check FactoryBean.OBJECT_TYPE_ATTRIBUTE correctly
*Saml2RelyingPartyRegistrationConfiguration can choose the wrong RelyingPartyRegistration.Builder when using a metadata file with multiple providers
*ConfigurationPropertiesReportEndpoint does not display primitive wrapper types
*ConfigurationPropertyName#equals is not symmetric when element has trailing dashes
*ScheduledTasksEndpoint throws NPE if PeriodicTrigger is used with custom SchedulingConfigurer
*Java system properties can not be applied to RestTemplate HttpClient connection in some cases
*Excluding auto-configuration class that relates to a TemplateAvailabilityProvider causes property binding to fail for native images
*When using Flyway 9.20.0, auto-configuration fails with a NoSuchMethodError due to the removal of Oracle-related methods from FluentConfiguration
*Dependency management for Selenium 4.8.x is incorrect
*Slice test annotations do not include SslAutoConfiguration
*Methods in KafkaConnectionDetails are named inconsistently
Apache Solr 9.3.0
Solr 9.3.0 Release Highlights:
Strimzi 0.36
Main changes since 0.35
This release contains the following new features and improvements:
It also has several notable changes, deprecations, and removals:
This week, read about:
Redis 7.0.12
Upgrade urgency SECURITY: See security fixes below.
Security Fixes:
Bug Fixes:
<count>
Docker compose 2.20.0
Update:
Dependencies upgrade: bump docker/cli-docs-tools to v0.6.0
Dependencies upgrade: bump docker to v24.0.4
Dependencies upgrade: bump buildx to v0.11.1
Bug Fixes and Enhancements:
Introduced the wait command.
Added support of --builder and BUILDX_BUILDER to the build command.
Added support for the attach attribute from the Compose Specification.
Fixed a DryRun mode issue when initializing CLI client.
Fixed a bug with random missing network when a service has more than one.
Fixed the Secrets file permission value to comply with the Compose Specification.
Fixed an issue about no-deps flag not being applied.
Fixed some source code comments.
Fixed a bug when --index is not set select.
Fixed a process leak in the wait e2e test.
Improved some test speeds.
Etcd 3.4.27
etcd server:
Fix corruption check may get a ErrCompacted error when server has just been compacted
Improve Lease put performance for the case that auth is disabled or the user is admin
Fix embed: nil pointer dereference when stopServer
etcdctl v3:
Add optional --bump-revision and --mark-compacted flag to etcdctl snapshot restore operation.
Dependencies:
Compile binaries using go 1.19.10.
Fluentd 1.16.2
Bug Fix:
#4208 in_tail: Fix new watcher is wrongly detached on rotation when follow_inodes, which causes stopping tailing the file
#4237 in_tail: Prevent wrongly unwatching when follow_inodes, which causes log duplication
#4214 in_tail: Fix warning log about overwriting entry when follow_inodes
#4239 in_tail: Ensure to discard TailWatcher with missing target when follow_inodes
#4178 MessagePackFactory: Make sure to reset local unpacker to prevent received broken data from affecting other receiving data
#4188 Fix failure to launch Fluentd on Windows when the log path isn't specified in the command line
#4229 logger: Prevent growing cache size of ignore_same_log_interval unlimitedly
#4225 Update sigdump to 0.2.5 to fix wrong value of object counts
Misc:
#4191 in_tail: Check detaching inode when follow_inodes
#4228 in_tail: Add debug log for pos file compaction
#4201 #4210 Code improvements detected by RuboCop Performance
#4159 Add notice for unused argument unpacker of ChunkMessagePackEventStreamer.each
Grafana 10.0.2
Features and Enhancements:
Bug Fixes:
Plugin Development Fixes & Changes:
Keycloak 22.0.0
New Features:
#8750 Require user to agree to 'terms and conditions' during registration keycloak
#11089 Securing credentials/passwords not possible with Quarkus distribution keycloak dist/quarkus
#11632 Enable Horizontal Pod Autoscaling for Keycloak deployed with the new Operator keycloak
#15101 Support OpenJDK 19 keycloak
#15910 Hostname debug tool keycloak dist/quarkus
#17252 Add Keycloak Keystore Vault implementation keycloak dist/quarkus
#17659 Claim to User Session Note Idp Mapper keycloak oidc
#19650 Supporting reference access/refresh tokens keycloak
#19968 Allow changing admin console logo and favicon from theme.properties keycloak
#20016 Group attribute query is missing QueryParams in java admin client keycloak admin/client-java
#20262 SSSD integration in Quarkus distribution keycloak
#20625 Add support to the Operator for setting default labels on Keycloak pods keycloak operator
#21254 Support for JWE IDToken and UserInfo tokens in OIDC brokers keycloak identity-brokering
Enhancements:
#356 Update QuickStarts documentation to Quarkus distribution keycloak-quickstarts
#357 Re-enable test that where disabled when updating test for the Quarkus dist keycloak-quickstarts
#407 Nashorn dependency no longer needed in quickstarts keycloak-quickstarts
#412 Doublecheck "provider" quickstarts with quarkus3 based Keycloak distribution keycloak-quickstarts
#416 user-storage-* provider quickstarts keycloak-quickstarts
#417 Event listener sysout quickstart keycloak-quickstarts
#421 Event store mem quickstart keycloak-quickstarts
#428 Extend-account-console quickstart keycloak-quickstarts
#436 Remove keycloak-remote profile keycloak-quickstarts
#1791 Clarification on user registration and identity brokering keycloak-documentation
#8753 Reset Credentials Flow does not delete existing OTP keycloak authentication
#9075 Remove any unnecessary dependency from distribution keycloak dist/quarkus
#9434 OTP base32 decode improvements keycloak
#10285 Expose deployment errors in the status field of Keycloak CR keycloak operator
#10562 Support multiple KC instances in a single namespace keycloak operator
#10736 Use SchemaSwap instead of shell script for Realm CRD generatio keycloak operator
#10911 Use Quarkus JOSDK to generate CSV for OLM in the operator keycloak operator
#11561 Non ASCII characters in TOTP secret not supported in 2FA configurations keycloak authentication
#11759 Add support to indicate desired locale on init func with onLoad: 'login-required' options keycloak adapter/javascript
#12593 Add a name to the keycloak port in the service keycloak
#13074 Operator CRD status incompatible with kstatus keycloak operator
#14747 Addition of Custom User Attribute Filter to Users API Count Endpoint keycloak
#15003 Enable IPv6 dualstack support by default keycloak dist/quarkus
#15044 Clean `RealmProvider` from methods from other areas keycloak storage
#15046 Remove methods for old default roles approach keycloak storage
#15136 Back to Application link should be client specific with the UPDATE_EMAIL feature keycloak
#15344 Support configurable custom Identity Providers keycloak
#15434 Customize log messages for user storage LDAP configuration in KC shown in admin UI keycloak
#15454 Update migration guide with the changes that need to be done for developers using JAX-RS in their extensions keycloak
#15490 Update Datastore provider to contain full data model keycloak storage
#15789 "Failed to add user 'admin' ..." should not be an ERROR keycloak dist/quarkus
#15947 support parameters like "uri" and "matchingUri" in the UMA grant token endpoint keycloak
#16535 Group Attribute Search Erroneously returns when searching for nested group keycloak storage
#16800 Operator Support for missing leading slash and present trailing slash in `http-relative-path` keycloak operator
#16849 Add "Enable new user after creation" option for Active Directory keycloak
#16902 Refine the set of RPMs included in the keycloak container image keycloak dist/quarkus
#16967 Minimize the RPM content of the Operator container keycloak operator
#16977 CRDB optimization: Optimize selects targeting the primary key or unique keys keycloak storage
#17470 security enhancement : representation of admin events & credentials keycloak
#17484 Migrate realms if configured to use RH-SSO themes keycloak
#19792 Javascript example not printing errors keycloak docs
#19924 Allow pre-filled GitHub issue forms via links from docs keycloak docs
#19959 Add missing Spanish translations for login keycloak translations
#19965 Add `lang` attribute to HTML tag of UIs keycloak account/ui
#19990 Only add Access properties on groups, if the fine grain feature is on keycloak
#20067 Upgrading to Infinispan 14.0.8 keycloak
#20191 Conditional login through identity provider keycloak
#20200 account console v3 theme.properties customizations keycloak
#20216 Correct formatting in Server Developer guide keycloak
#20250 Adhere to HTML standard when using `ul`-element keycloak
#20263 SSSD documentation updated for quarkus distribution keycloak
#20265 SSSD testing with GH actions keycloak
#20303 UserPropertyMapper generated exceptions on mapping keycloak
#20305 Upgrade JNA library keycloak
#20386 Client executor for reject implicit grant when enabled for clients keycloak oidc
#20388 Upgrade owasp html sanitizer to newest version keycloak
#20469 Look ahead window setting in OTP policy is not accurate keycloak admin/ui
#20486 Enable `simple-cache` for `local-cache` keycloak
#20496 Move openshift client integration to separate extension keycloak core
#20497 Move http-challenge authentication flow and the related authenticators to the extension keycloak authentication
#20548 Also run Cypress tests on Firefox keycloak testsuite
#20576 Allow custom annotation in Ingress keycloak
#20582 Show warning message when overriding build options during starts keycloak
#20623 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request keycloak
#20674 Increase the length of password hash iterations password-policy input in admin ui keycloak admin/ui
#20689 Removing unnecessary message from main command help text keycloak
#20710 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in Request Object pushed to PAR request keycloak
#20773 Add Hardcoded Group mapper to Identify Provider configuration keycloak
#20783 Ability for users to view credentials without manage user permissions keycloak admin/api
#20791 Update docs (and maybe tooltips) for timeout changes keycloak docs
#20817 Improve start page on the account ui keycloak account/ui
#20994 Update securing_applications guide for latest adapter changes (community) keycloak docs
#21064 Allow any JGroups stack with --cache-stack keycloak
#21163 Support for the `locale` user attribute keycloak
#21167 Add missing Polish translations keycloak translations
#21176 Remove adapters from product documentation keycloak docs
#21272 Upgrade to Quarkus 3.2.0.Final keycloak
#21283 Add `iat` claim to JWT that is passed to CIBA HttpAuthenticationChannel keycloak
#21476 When essential claim check fails the error message should provide detailed information keycloak
#21493 Enable publishNotReadyAddresses for discovery service keycloak
Bugs:
#369 Quickstarts for action-token-authenticator / action-token-required-action not working keycloak-quickstarts
#409 Legacy quickstart tests are failing since quarkus3 upgrade keycloak-quickstarts
#437 Tests does not work on OpenJDK 17 for quickstarts keycloak-quickstarts
#9299 Refresh token with offline_access scope affected by session idle/session max keycloak oidc
#9313 LDAPS Bind test fails with SSLHandshakeException while LDAP connection test works keycloak ldap
#10110 Unable to add more than 6 acceptable AAGUIDs for WebAuthn keycloak authentication/webauthn
#10195 User search with LDAP federation not consistent keycloak ldap
#11079 SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata keycloak saml
#11728 SSSD Federation fails with NPE after upgrade keycloak authentication
#11990 Negative refresh token expiration (exp timestamp in the past) keycloak oidc
#12012 KEYCLOAK-17116 Copy of Browser Flow overrides an original one keycloak authentication
#12018 Trust Store hostname-verification-policy=ANY seems to be ignored keycloak docs
#12720 Clearify the use of `db-url-properties` keycloak docs
#12745 [keycloak-js] multiple init call with onload option as check-sso cause redirects keycloak adapter/javascript
#12939 importing bin/kc.[sh|bat] import --file doesn't work when using external database keycloak dist/quarkus
#13542 MigrationTest for KC 17 failures in the pipeline keycloak testsuite
#13543 RecoveryAuthnCodesAuthenticatorTest failures in the pipeline keycloak testsuite
#13922 Switching Locale after Completing an admin triggered required action yields an error keycloak authentication
#14441 Client-secret with special character (+) for authorization is failing in 19.0.2 keycloak oidc
#14617 ID token is not including roles keycloak oidc
#14851 Realm update fails when realm has many Identity Providers configured and saves rep. with Admin Events keycloak admin/api
#14854 Client session lifespan doesn't consider user session lifespan keycloak authentication
#15337 User Session Note Mapper no longer adds IMPERSONATOR_USERNAME as SAML attribute keycloak saml
#15536 Able to modify built-in flow keycloak admin/api
#15782 Unable to perform export when server was started with new storage keycloak dist/quarkus
#15845 Realm localization: Inconsistent message resolving regarding language fallbacks for different themes keycloak core
#15853 Incorrect Signature algorithms presented by Client Authenticator keycloak oidc
#15898 Keycloak Export only accept H2 datase-URL (Datasource: URL format error; must be jdbc:h2 ... but is jdbc:mariadb: ...) keycloak dist/quarkus
#16165 SSSD User Federation dissapeared in 20.0.1/20.0.2 keycloak authentication
#16166 Set OpenShift as a "Social Identity Provider" cannot work keycloak identity-brokering
#16321 Single client export bug keycloak docs
#16507 Hibernate 6 upgrade: Warning SqmDynamicInstantiation about dynamic Map instantiation keycloak storage
#16551 Quarkus 3: RealmModelTest.testRealmLocalizationTexts fails keycloak testsuite
#16577 Setting user password and entering "password confirmation" first leads to blocking of "save" keycloak admin/ui
#16613 Impossible to update a federated user credential label keycloak admin/api
#16833 Update documentation around `View all users` behavior in the new admin console keycloak docs
#16992 upgrading from v18.0.2 to 19.0.3 or 20.0.3 fails with ERROR duplicate key value violates unique constraint "constraint_3c" keycloak core
#17130 Theme & Provider folder empty in KeyCloak 20.0.3 keycloak docs
#17288 New Referrer-policy breaks cross-origin SP<->IdP (KC) keycloak saml
#17294 Make LDAP `searchForUsersStream` consistent with other storages keycloak storage
#17304 javax.net.ssl.SSLException exceptions because org.keycloak.adapters.HttpClientBuilder ignores connectionTTL setting keycloak oidc
#17312 Error updating old version (Keycloak 8) to Keycloak 20. NPE thrown due the realm.getDefaultRole() keycloak core
#17377 Error: realms.removeSession wrong generic type keycloak admin/client-js
#17388 Incorrect Url on Keycloak Health - Liveness and Readiness, no Startup Probes keycloak operator
#17581 `JpaUserProvider` count methods are inconsistent with `searchForUser`'s param filter handling keycloak storage
#19096 Memory issue with PathCache when running the traffic keycloak authorization-services
#19136 Report an issue link points to Jira instead of GHI keycloak docs
#19155 Priority not sent to server when adding new RSA key provider keycloak admin/ui
#19156 Server Deployment documentation is not updated to Quarkus keycloak docs
#19193 Slow Query Caused By Composite Indexes Order On Broker Link Table keycloak storage
#19257 User ID is ignored in partial import keycloak import-export
#19323 Hibernate 6: Entity in Key not returned when querying keycloak storage
#19368 Facebook identity provider not working keycloak identity-brokering
#19485 SignatureProvider not showing up in the Default Signature Algorithm list keycloak admin/ui
#19530 Custom ResetCredentialEmail does not work after upgrade to Keycloak 21 keycloak core
#19575 Account Console II doesn't remove TOTP from UserStorage keycloak account/api
#19596 A way to override internal SPI after KC 21 keycloak core
#19638 Custom User Storage Provider doesn't look up users after saving changes keycloak admin/ui
#19675 Gzip cache is only invalidated upon Keycloak version changes keycloak core
#19677 AlreadyLoggedIn when impersonating a user in a SAML client keycloak core
#19725 Operator restarts occasionally result in recreation of managed keycloak Statefulset Pods keycloak operator
#19746 Email settings erased after any change on realm settings keycloak admin/ui
#19763 Documentation for User Storage Spi is incorrect keycloak storage
#19777 Custom providers are not loaded properly in KC21 keycloak core
#19805 Custom SignatureProviderFactory is not working as expected after Keycloak 21 upgrade keycloak core
#19814 Testsuite must rely on IDs from Keycloak keycloak testsuite
#19818 Support for realm-less entities in login failures keycloak storage
#19844 NPE when updating a subflow in an authentication flow keycloak admin/api
#19849 Incorrect HTTP status reported when DNS resolver is not available (and DB connection unavailable due to that) keycloak core
#19852 Admin UI does not respect default values for custom authenticator configurations keycloak admin/ui
#19897 Create a Client Policy on realm with client-roles or client-scopes condition raises an expection on the Client details keycloak admin/ui
#19932 Test app is not functioning - https://www.keycloak.org/app/ keycloak docs
#19933 Account v3 - account console link redirect to master realm keycloak account/ui
#19942 New Flow created for Post Login Flow IDP not mark "Used by" at Flows keycloak admin/ui
#19950 Logout redirect URL truncated since v20 keycloak oidc
#19957 User search with more than two keywords returns empty list keycloak storage
#19982 Default Roles show all roles if "Hide inherited roles" is not checked keycloak admin/ui
#20007 Conditional user attribute authenticator does not match the joined groups keycloak oidc
#20009 authenticator javaScript Provider always failed the login, user context is lost and break the login keycloak core
#20013 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet keycloak ci
#20020 Cannot find @Generated annotation for ServicesLogger keycloak dependencies
#20070 Update passthrough behavior and docs keycloak dist/quarkus
#20077 Conditionally build WildFly adapters for our testsuite keycloak testsuite
#20085 Custom theme - url.resourcesCommonPath references wrong theme keycloak admin/api
#20097 FederatedUserLink always points to LDAP keycloak admin/ui
#20101 Duplicated serverPrincipal property in LDAPStorageProviderFactory keycloak storage
#20105 Unable to template emails in EventListenerProvider (No realm in provided KeycloakSession) keycloak authentication
#20119 Support for non-XA databases keycloak storage
#20182 User defined message bundles do not apply correctly to Admin Console keycloak admin/ui
#20194 Valid redirect URI & web origin input fields display when "Standard flow" is disabled keycloak admin/ui
#20202 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testLazyClientSessionStatsFetching keycloak ci
#20259 Failing ExternalLinks tests for old Keycloak JIRA Links keycloak docs
#20261 Quarkus 3 build properties break product build keycloak dist/quarkus
#20269 Flaky test: org.keycloak.testsuite.model.infinispan.CacheExpirationTest#testCacheExpiration keycloak ci
#20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable keycloak admin/ui
#20329 Additional Provider Info only shows at end of list not below provider keycloak admin/ui
#20331 Keycloak-js crasher: Missing null checks. Websites that have inline scripts without a src attribute as src attributes are not required. keycloak adapter/javascript
#20332 Error 500 after signin to admin console: NullPointerException keycloak core
#20349 WebAuthn test fails in the GHA keycloak testsuite
#20372 keycloak-js-admin-client and keycloak-js-adapter do not build when a maven proxy is configured keycloak
#20384 Fix User Federation tests after Q3 upgrade keycloak testsuite
#20385 Servlet tests for JBoss-based adapters with TLS are broken keycloak testsuite
#20387 Productization issue related to JNA upgrade keycloak dependencies
#20401 SAML error not shown to user keycloak admin/ui
#20426 ClientScope changes don't invalidate the realm cache keycloak storage
#20433 Administration / Keycloak Admin REST API documentation can no longer be generated keycloak docs
#20443 Avoid NPE while fetching offline sessions keycloak storage
#20459 Changing the email address has no impact at username regardless "Email as username" toggle keycloak user-profile
#20481 Fix tests related to file storage keycloak testsuite
#20489 Admin UI - unable to load user's groups when large number of groups defined for the realm keycloak admin/ui
#20498 When user federation is enabled, admin console user search doesn't show search field keycloak admin/ui
#20503 Enabled User Event Types not visible when "Save events" disabled. keycloak admin/ui
#20506 User events settings - "Save events" toggle doesn't always activate Save button. keycloak admin/ui
#20510 Ensure proper escaping for LDAP keycloak storage
#20534 For versions > 18.x.x client mapper is not able to override "name" for OpenID tokens keycloak oidc
#20536 [Declarative User Profile] Optional attributes become required keycloak admin/ui
#20540 `register-node-at-startup` in EAP Client Adapter eventually causes "java.lang.OutOfMemoryError: unable to create native thread keycloak adapter/jee
#20541 Identity providers initialization has to use models keycloak storage
#20550 Update example custom cache configuration for v>21 keycloak docs
#20564 keycloak-admin-client does not url-encode client id and secret for basic auth as defined in RFC6749 keycloak admin/client-js
#20599 Introduced additional dependencies in the testsuite keycloak testsuite
#20615 Moving a group to root loses all its members keycloak admin/ui
#20622 FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error keycloak oidc
#20635 Add back examples for Kubernetes and Openshift to the quickstarts keycloak core
#20656 Reset password does not show option to sign out from other devices keycloak authentication
#20670 Could not process response from SAML identity provider because "this.text" is null keycloak identity-brokering
#20671 Userinfo endpoint doesn't accept charset keycloak oidc
#20673 Missing SAML Allow ECP Flow option keycloak admin/ui
#20694 Selecting one mapper and switch page select them all keycloak admin/ui
#20700 REST API Documentation ref wrong keycloak docs
#20703 Realm export performance heavily depends on the amount of users per file keycloak import-export
#20723 Keycloak deployed via new keycloak-operator triggers OpenShift alert `IngressWithoutClassName` keycloak operator
#20725 Denial of Service/100% CPU usage: CRLUtils in infinite loop if more than one CRL list is used from different CAs keycloak core
#20732 Keycloak erases form data on validation when `login_hint` is present keycloak account/ui
#20757 SEND_RESET_PASSWORD event is not stored keycloak admin/api
#20782 Mappers tab is not reachable on identity provider settings keycloak admin/ui
#20831 Webauthn signature algorithms are improperly encoded as strings keycloak authentication/webauthn
#20835 There is no server side pagination for sessions keycloak admin/ui
#20847 Private key JWT authentication no longer works on Keycloak 21 keycloak authentication
#20851 Empty shortVerificationUri not the same with default (null) value keycloak authentication
#20855 Session cross-reference / transaction mismatch keycloak core
#20878 Emails with non-ascii characters are not allowed since v21.0.0 keycloak user-profile
#20888 Flaky test: org.keycloak.operator.testsuite.integration.ClusteringTest#testKeycloakScaleAsExpected keycloak operator
#20895 Keycloak's default http client doesn't check HTTP response code keycloak core
#20920 keycloak-server from testsuite won't start keycloak testsuite
#20947 Partial Import is not working for resource Type in keycloak 21.1.1 keycloak import-export
#20951 Jump links render wrong on small screens keycloak admin/ui
#20954 Performance degradation when upgrading from RHSSO 7.6 to KC22 caused by TLSv1.3 processing keycloak dist/quarkus
#20974 Avoid loading classes and resources from new store if legacy is enabled keycloak storage
#20977 NPE when shutting down JPA after a failed initialization keycloak storage
#20978 processGrantRequest in TokenEndPoint uses new TokenManager instead of this.tokenMananager keycloak oidc
#21045 Custom User Storage Provider gets disabled when saved keycloak admin/ui
#21047 Role details not visible unless the user has "View Realm" enabled keycloak admin/ui
#21095 Group list isn't filtered based on permission like user lists keycloak
#21106 Service Account Impersonation fails and results in weird browser state keycloak core
#21120 Client scopes mapping not available for users with "view-clients" and "query-clients" keycloak admin/ui
#21234 custom user storage provider update in admin-ui disables it, and stores value “t” as enabled keycloak admin/ui
#21242 GroupResource POST /children cannot update existing subgroups keycloak admin/api
#21263 Broken Links / Redirects Issues in Docs - 2023-06-27 keycloak docs
#21290 UserSessionConcurrencyTest#testConcurrentNotesChange fails intermittently keycloak testsuite
#21295 UserSessionProviderModelTest#testRemoteCachesParallel sessions are not removed after the test keycloak testsuite
#21300 Keycloak Docs for Native App Redirect URI Should Recommend the IP literal keycloak docs
#21307 3rd party check in iframe not working anymore in safari and keycloak 21.1.2 keycloak oidc
#21317 [docs] External Links Errors - saml.xml.org http -> https redirect keycloak docs
#21349 List of tested database in docs doesn't match pom.xml keycloak docs
#21358 NPE in Edit Identity Provider Mapper on second Save keycloak admin/ui
#21394 SSSD users with capitals in the email cannot login to keycloak keycloak core
#21412 JavascriptAdapterTest is broken due to the multiple initialization of JS adapter keycloak testsuite
#21427 Nexus staging plugin failing after Java 11 deprecation keycloak ci
#21451 Cookie error on second browser tab keycloak core
#21456 Quarkus 3.2 changed the property for quarkus.transaction-manager.object-store-directory keycloak dist/quarkus
#21491 Wrong message for sync actions on LDAP role mapper keycloak admin/ui
AMQP 1.0 Plugin
Bug Fixes:
Prometheus Plugin
Enhancements:
Management Plugin:
Bug Fixes:
STOMP Plugin
Bug Fixes:
stomp.max_frame_size = 10485760
# 2 MiB
stomp.max_frame_size = 2097152
Shovel Plugin
Bug Fixes:
Web MQTT Plugin
Enhacements:
web_mqtt.use_file_handle_cache = false
Web STOMP Plugin
Enhacements:
web_stomp.use_file_handle_cache = false
Ansible AWX 22.5.0
What's Changed:
As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.
Complete the form to receive an email message when we post a new OpenUpdate.
If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.
Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.